facebook

WhatsApp for Android Retains Deleted Contacts Locally

nightwatchcyber Advisories, Research ,

Summary

WhatApp for Android retains contact info locally after contacts get deleted. This would allow an attacker with physical access to the device to check if the WhatsApp user had interactions with specific contacts, even though they have been deleted.

Vulnerability Details

When a contact is deleted on WhatsApp, their information about security code changes is retained (while the chat content is not). The only way to get rid of that is to select “Clear Chat” for the contact before deleting it. Even deleting the chat itself doesn’t do it unless the “Clear Chat” operation is done first. The “security code change notifications” option must be enabled in order for this to work.

Someone getting access to the user’s device can figure out whether they ever chatted with specific contacts, even if those contacts and their chats are no longer on the device. This is a privacy issue – especially for people like journalists and those living in dangerous countries.

Since WhatsApp uses Android’s contact app for contact information but supports chats with numbers that aren’t contacts, our theory is that the application retains information about security code changes even for contacts no longer on the device. There seems to be a discrepancy between how the “Clear chat” option and “Delete Chat” options are implemented in the application, with the first option deleting security notification data.

To reproduce:

  1. Delete a chat with a contact that had security code changes before.
  2. Delete the contact from the device via the Android Contacts app.
  3. Re-add contact to the device via the Android Contacts app.
  4. Start a new chat in WhatsApp with that contact but do not send any messages.
  5. Observe that security code changes are listed with dates in the chat.
  6. Select “Clear Chat” to remove the security code changes, and repeat sterps 1-4. Observe that the security code changes no longer appear.

Tested on WhatsApp for Android, app version 2.21.20.20, running on Android 12.

Vendor Response

We haven’t retested on a more recent version but our recommendation to users is to use the “Clear Chat” option in order to prevent this.

The vendor will not be fixing this issue, here is their response:

As part of the attack scenario you describe getting access to a person’s WhatsApp account to obtain private data, as you mention yourself, people do have a way to remove these messages from their account, if a bad actor gets access to their WhatsApp account prior to that person deleting that information then they will be able to view this information. As such, we are closing this report.

References

CWE: CWE-212 – Improper Removal of Sensitive Information Before Storage or Transfer

Facebook # 10102482597361835

Timeline

2021-10-24: Initial report sent to the vendor, report ID assigned
2021-10-27: Vendor asks for more info, additional info and screenshots sent
2021-11-03: Vendor sent interim status report, still investigating
2021-11-09: Vendor rejects the vulnerability and closes the report
2021-12-30: Public disclosure

Interesting two-factor (2FA) behavior in Facebook

nightwatchcyber Advisories

We recently ran across an interesting behavior with two-factor authentication in Facebook. There are two methods supported: SMS to a phone and OTP via an app such as Google Authenticator. What is interesting is that when OTP is added as an 2FA method and SMS remains as backup, every login to Facebook still sends an SMS code (even though that method is supposed to be a “backup method” only if the OTP method fails). This is in contrast with other vendors such as Google where only one 2FA method is used at any given time.

The only way to get around this, is to setup OTP as the primary 2FA method and backup codes or a security key as the backup one. If you try to setup SMS as the backup method, it reverts to the behavior described above.

This was reported to Facebook on April 27th, 2020 and rejected as a security issue. The original report # is 554696145470552.

Screen Shot 2020-04-30 at 9.42.37 PM

Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program)

nightwatchcyber Research ,

Summary

A third-party Android application with Facebook API access was found to be copying user data into storage outside of Facebook, and storing it insecurely in two separate locations. This issue was reported to Facebook via their Data Abuse Bounty program and the insecure storage locations have been secured on November 12th, 2018. The Facebook app associated with this application has been removed from the Facebook platform but the Android application remains available in Google’s Play Store. The number of affected users is unknown. [ADDED: 02/15/2019 – Google has been notified].

Background

In April 2018, FaceBook announced a new Data Abuse Bounty program that rewards “people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence“.

In September 2018, we found an Android application in the Google Play store that purports to provide additional functionality to Facebook users that is not available through the platform. At the time of writing, the application had more than 1,000,000 downloads. After downloading the application, and examining it using JADX, we found that the application was using Facebook APIs to access data for the logged in user and copying to several storage locations outside of Facebook. Upon further examination, it was clear that at least two of such locations (a Firebase database and an API server) were making this data available without any authentication and without HTTPS. This would allow an attacker to mass download the user data accumulated by the application from its users.

We do not know for sure how many users have been impacted or exposed, but one of the databases accessed contained over 1,000,000 records. [ADDED: 02/15/2019 – The application purported to provide additional statistical information about the logged-in user’s Facebook account. There is a privacy policy within the application but it is ambiguous about the transfer of data].

Issue #1 – Storing user data in an public Firebase database

During our examination of the application, we located a Firebase database that the application was communicating with. The database was configured in test mode, which allowed anonymous public access by visiting the URL of “https://DATABASE.firebaseio.com/.json“. As seen in the attached screenshot, the database contained data obtained from Facebook. Aside from confirming the initial permission issue, we did not access or explore this database any further.

Screenshot:

likulator1

Issue #2 – Storing user data in a non-SSL server without authentication

During our examination of application, it become clear that the server that the application was communicating with, did not use SSL and was being accessed without authentication. As seen below, this would allow an attacker to download the data collected by the application from Facebook via a regular browser as well as spy on any connections between the application and the server. Aside from confirming the initial permission issue, we did not access or explore this database any further.

likulator2

likulator3

Vendor Response and Mitigation

We contacted the Facebook Data Abuse Bounty program but did not contact the vendor directly. After Facebook completed its review, the two insecure locations have been secured on November 12th, 2018. The Facebook app associated with this application has been removed from the Facebook platform but the Android application remains available in Google’s Play Store. [ADDED: 02/15/2019 – Google has been notified].

This discovery qualified under the terms of the Facebook Data Abuse Bounty Program and a bounty payment has been received.

References

Facebook report # 10101718616795015
Google reference # 8-7487000025062

Credits

This advisory was written by Yakov Shafranovich.

Timeline

2018-09-17: Initial report submitted to Facebook, initial response received
2018-11-12: Issued fixed
2018-11-27: Bounty decision received; sent disclosure request
2018-11-30: Facebook asked for additional time before disclosure
2019-01-15: Investigation has been finalized, FaceBook asked for a copy of the disclosure
2019-02-03: Draft disclosure shared for review
2019-02-14: Public Disclosure
2019-02-15: Minor updates; notification sent to Google

Advisory: Crashing Facebook Messenger for Android with an MITM attack

nightwatchcyber Advisories , ,

Summary

Facebook Messenger for Android can be crashed via the application’s status check. This can be exploited by an MITM attacker via intercepting that call and returning a large amount of data. This happens because this status check is not done over SSL and the application did not contain logic for checking if the returned data is very large.

The vendor has no immediate plans to fix this issue.

Vulnerability Details

Facebook Messenger for Android is a messaging application provided by Facebook. While monitoring network traffic of a test device running Android, we observed that the application made network calls for checking server status. This call was done over HTTP without the use of SSL / TLS. Example URL:

http://portal.fb.com/mobile/status.php

We were successful in crashing the application by injecting a large packet because the application doesn’t handle large data coming back correctly and doesn’t use SSL for this call.

It is also important to note this would allow someone to block Messenger from being used but without the users realizing they are being blocked, since they will attribute the app crashing to a bug rather than a block.

Captured traffic:

test_now

Steps To Replicate (on Ubuntu 18.04)

1. Install the application on the Android device.

2. Install dnsmasq and NGINX on the Linux host:

sudo apt-get install dnsmasq nginx

3. Modify the /etc/hosts file to add the following entry to map PIA’s domain name to the Linux host:

192.168.1.x portal.fb.com

4. Configure /etc/dnsmasq.conf file to listen on the IP and restart DNSMASQ

listen-address=192.168.1.x
sudo /etc/init.d/dnsmasq restart

5. Use mkdir and fallocate to create a large server file in “/var/www/html/” (you may need to use sudo):

cd /var/www/html
mkdir mobile
cd mobile
fallocate -l 2.5G status.php

6. Setup a WiFi access point and set the DNS server setting on the access point to the Linux computer (“192.168.1.x”)

6. Connect the test device to the access point – Android will resolve now DNS against the Linux computer.

7. Re-open the app and try to activate with a phone number. Observe the crash – note that the application and launcher crashes but not the device itself

All testing was done on v169.0.0.27.76 of the Android application using a Linux host running Ubuntu v18.04 and Android test devices running Android v7 and v8.1.

Vendor Response and Mitigation

The vendor doesn’t consider this to be a security issue and doesn’t have immediate plans to fix it:

After talking to the product team, we’ve determined that the crash is due to OOM and the security risk here is not significant enough to qualify for a bounty. The impact here is a denial of service on very specific users on the attacker’s wifi network, which arguably can be done via other local network attacks which we ultimately cannot control. While we agree that this is a software bug and we may consider making changes in the future to prevent this behavior, this issue does not qualify as a part of our bounty program.

References

CVE-ID: no CVE assigned
CWE: CWE-400 – Uncontrolled Resource Consumption (‘Resource Exhaustion’)

Credits

Text of the advisory written by Yakov Shafranovich.

Timeline

2018-06-05: Initial email to the vendor as part of another issue; POC sent
2018-06-12: Initial report triaged by vendor and sent to product team
2018-06-20: Vendor response received
2018-06-25: Draft advisory provided to vendor for review
2018-07-09: Public disclosure

Advisory: WhatsApp for Android Privacy Issues with Handling of Media Files [CVE-2017-8769]

nightwatchcyber Advisories , ,

Summary

WhatsApp Messenger for Android does not delete sent and received files from the SD card on the device when chats are cleared, deleted or the application is uninstalled from the device. Additionally, the application stores sent and received files in the SD card without encryption where they are accessible to any applications with storage permissions.

The vendor (Facebook) doesn’t consider these to be security issues and does not plan to fix them. MITRE has assigned CVE-2017-8769 for these issues. It is also unclear whether platforms other than Android are affected.

[UPDATE: 09/06/2017 – a recent update to WhatsApp for Android now displays an option to delete media files when deleting chats and that option is checked by default. The change to the UI mitigates the issues discussed in this advisory. Users are encouraged to update to v2.16.323 or later.]

[UPDATE: 12/05/2017 – the checkbox to delete media files when deleting chats doesn’t always work. Users are encouraged to delete the WhatsApp directory on the SD card using a file manager to make sure all media files are removed and be aware of issues with erasing flash memory in general. Facebook has refused to acknowledge this as a security issue and has not plans to fix it.]

Background

WhatsApp Messenger is a popular cross-platform communication tool that allows users to send and receive messages without using more expensive protocols like SMS. Additionally the application allows sending and receiving of files including audio, contacts, images, videos and arbitrary documents. It is estimated that WhatsApp has over 1 billion active users and it is owned by Facebook, which also operates the largest social networking site in the world.

One of the main selling points that WhatsApp makes is their commitment to user privacy which revolves around the implementation of end-to-end encryption via the Signal protocol originally developed by Open Whisper Systems. This encryption makes it impossible for Facebook to monitor and capture message traffic flowing between users. In some extreme cases, Facebook executives have been placed in jail for the failure to allow access to messaging data when requested by governments.

Because of the high expectation of privacy by WhatsApp user, it is important that the security of the application on the device is also properly implemented. In regards to messages, WhatsApp stores them in encrypted database but it fails to do the same for files. WhatsApp also does not clear files received or sent by the user when the chats are cleared. This can result in user data being leaked or stolen by malicious applications, law enforcement during illegal searches or unwanted actors having access to the device (“evil maid scenario”).

Vulnerability Details

As mentioned above, WhatsApp has ability to send and receive files in addition to regular messages. This functionality includes arbitrary documents from the file system, contacts, location information, and various type of multimedia files including two separate audio formats (voice notes and recordings), images and videos. There is also more recent functionality around “status” images which disappear after 24 hours. In order for WhatsApp to access the SD card, users must grant storage permissions but in practice most users do so in order to be able to exchange files.

In our research, we have found that WhatsApp for Android stores these files on the SD card where they are accessible to other applications and does not delete them when chats are cleared, deleted or the application is uninstalled. Both sent and received files are retained. They are retained on the SD card in the following folder:

  • /WhatsApp/Media/

We have observed that the following file types are retained and not deleted:

  • /WhatsApp/Media/.Statuses/
  • /WhatsApp/Media/WhatsApp Audio/
  • /WhatsApp/Media/WhatsApp Documents/
  • /WhatsApp/Media/WhatsApp Images/
  • /WhatsApp/Media/WhatsApp Video/
  • /WhatsApp/Media/WhatsApp Voice Notes/

Screenshot_20170512-000800

To replicate the issue:

  1. Install WhatsApp for Android.
  2. Login and exchange messages with another user that contain any of the file type listed above.
  3. Then, install any file manager for Android.
  4. Navigate to the SD card, and observe the files sent and received being located in the directories described above.

As the next step, try to delete a chat by tapping on the chat, holding until the delete option comes up. Delete the chat, and go back to the file manager to check.

As the next step, try going to “Settings”, “Chats”, “Chat History” and selecting either “Clear all chats” or “Delete all chats”. Go back to the file manager and observe the media files still being present.

Screenshot_20170512-000723

As the next step, uninstall WhatsApp. Go back to the file manager, and observe the media files still being there.

All testing was done on Android 7, and WhatsApp Messenger v2.17.146. It is unclear whether other platforms are affected.

Vendor Response and Mitigation Steps

The vendor (Facebook) doesn’t consider these to be security issues and has no plans to fix them. Vendor response is as follows:

Thanks again for your report. We contacted the WhatsApp team about your report, and they confirmed that the behavior you describe is intentional. They designed the Android app to optimize for the storage space available on devices and allow media in WhatsApp to be visible in other apps like the Google Photos gallery. WhatsApp doesn’t assume that clearing the chat means clearing the media files as well. While the behavior might change in the future, we currently don’t have any plans to do so.

The vendor also noted that on Windows Phone, there is a setting that stops the application from saving media files that are received by the user.

It is recommended that users regularly check the folders listed above on the SD card and empty them as needed. For those users who desire higher security, it may be prudent to reformat or encrypt the SD card, or destroy the SD card if needed in order to delete these files.

[UPDATE: 09/06/2017] – a recent update to WhatsApp for Android now displays an option to delete media files when deleting chats and that option is checked by default. The change to the UI mitigates the issues discussed in this advisory. Users are encouraged to update to v2.16.323 or later.

New response from the vendor:

>> We published on this back in May. It looks like that the most recent version of WhatsApp for Android adds a mitigation for this issue. Can you confirm?

Yes, The WhatsApp team indeed added a background job to clear media.

Screenshots of the new UI:

Screenshot_20170906-164803whatsapp2

[UPDATE: 12/05/2017 – the checkbox to delete media files when deleting chats doesn’t always work. Users are encouraged to delete the WhatsApp directory on the SD card using a file manager to make sure all media files are removed and be aware of issues with erasing flash memory in general. Facebook has refused to acknowledge this as a security issue and has not plans to fix it.]

New response from the vendor:

Thank you clarifying more. According to the post you linked to, Facebook had informed that the CVE-2017-8769 was not considered a security risk. Since what you describe doesn’t appear to be a security vulnerability, you can report a general software bug by contacting WhatsApp at: [email protected]

References

CVE ID: CVE-2017-8769
CWE IDs: CWE-359 (“Exposure of Private Information”)
Facebook security reference # 10101277738643365

Credits

Advisory written by Yakov Shafranovich.

Timeline

2017-04-09: Initial report to Facebook
2017-04-14: Email exchange with the vendor
2017-04-20: Email exchange with the vendor
2017-04-03: Email exchange with the vendor
2017-05-09: Email exchange with the vendor
2017-05-16: Email exchange with the vendor
2017-05-17: Email exchange with the vendor
2017-05-17: Public disclosure
2017-09-06: Updated with details of the new UI changes in the Android app that mitigate these issues
2017-09-11: Email exchange with the vendor

2017-12-05: Followup exchange with the vendor