Secure Messaging Applications Prone to Session Hijacking
Secure messaging applications such as Telegram, Signal and WhatsApp can expose user messages through a session hijacking attack, Cisco’s Talos security researchers warn.
The three applications, all of which offer end-to-end encryption, claim to be able to keep users’ messages secure by encrypting them and preventing third parties from accessing them. According to Talos, however, this is not exactly true, as conversations could be exposed in certain scenarios.
One of the main issues, the researchers say, is the fact that these applications assume that their users are security-educated and that they understand the risks of enabling certain settings on their devices. With hundreds of millions of users using these apps, this clearly isn’t the case.
The applications, Talos points out, encrypt the content of all communication between users, without third parties involved. Thus, the service provider or anyone sniffing network traffic, should not be able to read the content at any point. However, there’s no assurance about security while the data is processing or when the message is on the user device.
The instant messaging apps also support the major mobile device platforms and a desktop version, and Talos discovered that an attacker could use malware to hijack a session from a desktop version and access the data without the user knowing or before they would realize a hijack has been performed.
On Telegram, the session hijacking is most likely to happen without users noticing it, which results in the attacker receiving all messages sent or received by the victim. The attacker can use the stolen session information to establish a new session and the user is never alerted on the issue. In fact, the user has to specifically check if there is an additional session in use.
Signal, on the other hand, handles the session hijacking as a race condition, meaning that both the user and attacker application compete for the session. Thus, the user receives an error message on the desktop application (no alert is displayed on the mobile device), but the attacker already has access to all contacts and previous chats that were not deleted.
The attacker can prevent the race condition by deleting the session information from the user’s desktop, meaning they would be prompted to re-link. The second session will only be visible from the mobile device, but will have the same name as the attacker-controlled session.
“Therefore, the attacker will have the ability to view all messages and even impersonate the victims. The messages sent by the attacker will reach the victim’s legitimate devices, but the attacker can delete them while sending them, avoiding detection. If the impersonation is done using the “Disappearing messages” feature, it will be even harder for the victim to identify the imitation,” Talos says.
In WhatsApp, a notification is displayed when the second session is opened on a desktop, in the application that is online when the second session is created. The user is prompted to choose one session to continue, and the attacker has access to all contacts and previous messages until the user makes a decision. They can also impersonate the user during that time.
According to Talos, an attacker could even bypass the warning mechanism and keep their session live. For that, they would need to stop the application on the victim machine, then launch WhatsApp with the hijacked session, and then disable the network interface on their machine, and only enable it after the victim’s WhatsApp application has been launched again.
The security researchers discovered that the mobile version of Telegram too is prone to session abuse, as it allows for “shadow sessions to coexist on the same device based on the same phone number while handling it in different applications.” Thus, an attacker could read all messages and contacts on Telegram until the session is terminated (user has to specifically request termination).
On Android, a malicious app granted the “read SMS” and “kill background process” permissions could create a shadow session without any user intervention. Normally, if the user tries to register the same phone number again, Telegram sends a code over the Telegram channel. However, if the registration isn’t completed in a specific timeframe, Telegram sends a new code over SMS, which is read by the malicious app.
“Secure instant messaging applications have a solid track record of protecting the information while in transit, even going as far as protecting the information from their own servers. However, they fall short when it comes to protecting application state and user information, delegating this protection to the operating system,” Talos concludes.
Related: Telegram Leaks User IP Addresses
Related: Researchers Find Flaw in WhatsApp