WhatsApp security flaw gives hackers access to personal media on your phone

With this exploit, what you see on WhatsApp and Telegram might not be what was sent to you. Here’s what you need to know.

Much has been said about the way that messaging apps such as WhatsApp and Telegram protect users by encrypting your messages and media as you send it from your handset to its recipient.

Whatsapp and Telegram use very robust end-to-end encryption to ensure your messages remain private. However, security specialists are warning against “Media File Jacking”.

What is Media File Jacking?

Media File Jacking is an exploit that takes advantage of permissions giving apps access to external storage. It could allow malicious apps to access media once it reaches your phone.

Whatsapp will save media to external storage by default while Telegram will use external storage when you select the “save as” option.

Apps with malicious intentions and the correct permissions could then manipulate the image before the user has even seen the original.

According to CNet, researchers tested malware it created to manipulate image and audio files sent through WhatsApp and Telegram:

“In a demo clip, a person sent a photo of two friends. The malware on the recipient’s device automatically replaced it with the actor Nicolas Cage over their faces.”

Whatsapp and Telegram aren’t really to blame on this one.

Also read – WhatsApp is testing a feature to share your status to Facebook and Instagram

How Android and WhatsApp handles storage permissions

No one is claiming there’s any vulnerability in their encryption; however, this problem speaks to a more significant problem with Android and the way it handles storage permissions.

“WhatsApp has looked closely at this issue. It’s similar to previous questions about mobile device storage impacting the app ecosystem,” a WhatsApp spokesperson told The Verge.

As soon as we need access to media that arrives during secure channels, we also need to give access to any person or app that has managed to get the same permissions.

How to prevent your WhatsApp media from being hacked

Prevention is still better than cure. Your best defence is still to make sure you don’t grant permissions to applications that they shouldn’t need to perform their function.

A running app would need access to your location, but the game you’re playing probably doesn’t.

“WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development”, the Whatsapp statement continued.

As good as Whatsapp and Telegram’s encryption is, you cannot assume that your media, messages and the identity of the senders and recipients are 100% secure when you have any non-factory apps running on your phone.

Watch: Media File Jacking explained


Also read – A perfect social media storm: Why WhatsApp, Facebook and Instagram go down simultaneously