Security vulnerability, which also affects Telegram, allows malicious actors to misuse and manipulate sensitive information

A major security flaw with WhatsApp and Telegram could allow hackers to view and manipulate people’s private photos, videos and voice memos.

Researchers from cyber security firm Symantec uncovered the ‘Media File Jacking’ vulnerability, which they claim affects the Android versions of the popular messaging apps.

If exploited, attackers could “misuse and manipulate sensitive information” from a person’s WhatsApp or Telegram, the researchers warned, either “for personal gain or to wreak havoc”.

Both messaging apps offer security to their users end-to-end encryption, which is designed to protect the identity of the sender and prevent hackers from intercepting the content of messages.

While this works to a certain extent, the Symantec researchers said it actually gave users a false sense of security when using WhatsApp and Telegram.

12 useful WhatsApp features you didn’t know existed

“The common perception [is] that the new generation of Instant Messaging apps is immune to content manipulation and privacy risks,” the researchers wrote in a blog post that details their findings.

“While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code.”

The vulnerabilities uncovered by the researchers allow malicious actors to access and manipulate media files by taking advantage of flaws in the apps that occur before or after the content is encrypted in transit.

The ability to manipulate images and other media files could have serious implications if it was used, for example, on public figures. Researchers said it could have wide-reaching consequences if the media files of “a politician running for office or a company executive” were manipulated.

The issue exists in WhatsApp by default in Android, while Telegram is affected if the ‘Save to Gallery’ feature is enabled.

Read more

Symantec researchers warned that neither app has any measure in place to protect their users from a Media File Jacking attack. The Independent has contacted Telegram and WhatsApp for comment on the issue.

The next version of Google’s mobile operating system, Android Q, will see changes that may help prevent abuse of the security flaw, though users of the apps can also take action now to avoid falling victim to it.

“Users can mitigate the risk of Media File Jacking by disabling the feature that saves media files to external storage,” the researchers wrote, advising users to access the apps’ settings in order to do this.