Tuesday, November 11, 2014

WeChat – A good example of bad API security!

In last few days Muhammad Haris was looking into network traffic data of mobile applications for related research on mobile privacy and security. However, in the process, we figure out shocking vulnerability in very famous WeChat messenger application. First, for those of you who never heard of Wechat: it is a primary messenger app in the Asian region specifically China, used by half a billion of individuals. 

This app has one important feature named moments. By this feature users can share photos and status with their friends only.  For the sake of privacy, photos and status shared by your friends are only visible to you in your moment (not the default friends-of-friends like in Facebook wall). Similarly there is another feature of album; which lets you see all pictures and status shared by a particular friend. You can visit your friends’ album through their profile. Important point to note here is that official explanation by WeChat mentioned that things shared on moments (and album) are visible to your friends only.  However it seems like backend communicationa between the WeChat application and its server suffer from serious security flaws. Let me take you there step by step.

To capture mobile application data Haris used fiddler which is very nice proxy; should you wish to use fiddler to capture your mobile data you can follow this nice tutorial by Troy Hunt

If you visit WeChat moments in phone, all the pictures visible in your moments are being loaded over HTTP. Hence by just looking at the mobile traffic data from fiddler you can get all the moments' pictures.  Picture:1 shows Haris's WeChat moments, his friend has shared some photos of his hiking trip. 
Now in the picture:2 as we browse over moments, the highlighted packets are sent by WeChat server to the application in the phone. Notice that protocol used for these packets is HTTP, which means photo data is not sent over secured HTTPS channel. 

In picture:3 and picture:4 we see selected individual packets, you can see the same pictures of his friend which are in the moments here.

This simply means that if a WiFi provider collect the raw packets on the channel from mobile devices, they can easily get all the photos of your friends as soon as you visits moments on your WeChat. As a result on one hand personal photos (of you and your friends) can be leaked and on the other hand a malicious WiFi provider can also infer your social links by looking at the pictures. This just illustrates the point of how harmful a poorly implemented API (application programming interface) security can be!

In comparison with other OSNs, Instagram seems to be still suffering form similar security issues, but in case of WeChat there is no need to hijack any sessions, it's all open by default! Google offered full encryption as an option for Gmail in 2008, but two years later made it the default. Facebook switched it on by default in January 2011.