In last few days Muhammad Haris was looking into network
traffic data of mobile applications for related research on mobile privacy and security. However, in the
process, we figure out shocking vulnerability in very famous WeChat messenger
application. First, for those of you who never heard of Wechat: it is a primary
messenger app in the Asian region specifically China, used by half a billion of individuals.
This app has one
important feature named moments. By this feature users can share photos and
status with their friends only.
For the sake of privacy, photos and
status shared by your friends are only visible to you in your moment (not the default friends-of-friends like in Facebook wall). Similarly there is another feature
of album; which lets you see all pictures and status shared by a particular
friend. You can visit your friends’ album through their profile. Important point to note here is that
official explanation by WeChat mentioned that things shared on moments (and
album) are visible to your friends only. However it seems like backend communicationa between the WeChat application and its server suffer from serious security flaws. Let me take you there step by step.
To capture mobile application data Haris used
fiddler which is very nice proxy; should you wish to use fiddler to capture your mobile data you can follow this nice tutorial by Troy Hunt.
If you visit WeChat moments in phone, all the pictures visible in
your moments are being loaded over HTTP. Hence by
just looking at the mobile traffic data from fiddler you can get all the
moments' pictures. Picture:1 shows Haris's WeChat moments, his friend has shared some photos of his hiking trip.
Now in the
picture:2 as we browse over moments, the highlighted packets are sent by WeChat
server to the application in the phone. Notice that protocol used for these
packets is HTTP, which means photo data is not sent over secured HTTPS channel.
In picture:3 and picture:4 we see selected individual packets, you can see the
same pictures of his friend which are in the moments here.
This simply means that if a WiFi provider collect the raw packets on the channel from mobile devices, they can easily get all the photos of your friends as soon as you visits moments on your WeChat. As a result on one hand personal photos (of you and your friends) can be leaked and on the other hand a malicious WiFi provider can also infer your social links by looking at the pictures. This just illustrates the point of how harmful a poorly implemented API (application programming interface) security can be!
In comparison with other OSNs, Instagram seems to be still suffering form similar security issues, but in case of WeChat there is no need to hijack any sessions, it's all open by default! Google offered full encryption as an option for Gmail in 2008, but two years later made it the default. Facebook switched it on by default in January 2011.
