exploit the possibilities

WhatsApp Failure To Delete

WhatsApp Failure To Delete
Posted May 19, 2017
Authored by Yakov Shafranovich | Site wwws.nightwatchcybersecurity.com

WhatsApp Messenger for Android does not delete sent and received files from the SD card on the device when chats are cleared, deleted or the application is uninstalled from the device. Additionally, the application stores sent and received files in the SD card without encryption where they are accessible to any applications with storage permissions.

tags | advisory
advisories | CVE-2017-8769
MD5 | 5e2920e5654182fcbd4c84af2f612484

WhatsApp Failure To Delete

Change Mirror Download
*** The vendor has addressed these issues and we updated our advisory
accordingly ***

[Original post here:
https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-whatsapp-for-android-privacy-issues-with-handling-of-media-files-cve-2017-8769/]

SUMMARY

WhatsApp Messenger for Android does not delete sent and received files
from the SD card on the device when chats are cleared, deleted or the
application is uninstalled from the device. Additionally, the
application stores sent and received files in the SD card without
encryption where they are accessible to any applications with storage
permissions.

The vendor (Facebook) doesn’t consider these to be security issues and
does not plan to fix them. MITRE has assigned CVE-2017-8769 for these
issues. It is also unclear whether platforms other than Android are
affected.

[UPDATE: 09/06/2017 – a recent update to WhatsApp for Android now
displays an option to delete media files when deleting chats and that
option is checked by default. The change to the UI mitigates the
issues discussed in this advisory. Users are encouraged to update to
v2.16.323 or later.]

BACKGROUND

WhatsApp Messenger is a popular cross-platform communication tool that
allows users to send and receive messages without using more expensive
protocols like SMS. Additionally the application allows sending and
receiving of files including audio, contacts, images, videos and
arbitrary documents. It is estimated that WhatsApp has over 1 billion
active users and it is owned by Facebook, which also operates the
largest social networking site in the world.

One of the main selling points that WhatsApp makes is their commitment
to user privacy which revolves around the implementation of end-to-end
encryption via the Signal protocol originally developed by Open
Whisper Systems. This encryption makes it impossible for Facebook to
monitor and capture message traffic flowing between users. In some
extreme cases, Facebook executives have been placed in jail for the
failure to allow access to messaging data when requested by
governments.

Because of the high expectation of privacy by WhatsApp user, it is
important that the security of the application on the device is also
properly implemented. In regards to messages, WhatsApp stores them in
encrypted database but it fails to do the same for files. WhatsApp
also does not clear files received or sent by the user when the chats
are cleared. This can result in user data being leaked or stolen by
malicious applications, law enforcement during illegal searches or
unwanted actors having access to the device (“evil maid scenario”).

DETAILS

As mentioned above, WhatsApp has ability to send and receive files in
addition to regular messages. This functionality includes arbitrary
documents from the file system, contacts, location information, and
various type of multimedia files including two separate audio formats
(voice notes and recordings), images and videos. There is also more
recent functionality around “status” images which disappear after 24
hours. In order for WhatsApp to access the SD card, users must grant
storage permissions but in practice most users do so in order to be
able to exchange files.

In our research, we have found that WhatsApp for Android stores these
files on the SD card where they are accessible to other applications
and does not delete them when chats are cleared, deleted or the
application is uninstalled. Both sent and received files are retained.
They are retained on the SD card in the following folder:

- /WhatsApp/Media/

We have observed that the following file types are retained and not deleted:

- /WhatsApp/Media/.Statuses/
- /WhatsApp/Media/WhatsApp Audio/
- /WhatsApp/Media/WhatsApp Documents/
- /WhatsApp/Media/WhatsApp Images/
- /WhatsApp/Media/WhatsApp Video/
- /WhatsApp/Media/WhatsApp Voice Notes/

To replicate the issue:
1. Install WhatsApp for Android.
2. Login and exchange messages with another user that contain any of
the file type listed above.
3. Then, install any file manager for Android.
4. Navigate to the SD card, and observe the files sent and received
being located in the directories described above.

As the next step, try to delete a chat by tapping on the chat, holding
until the delete option comes up. Delete the chat, and go back to the
file manager to check.

As the next step, try going to “Settings”, “Chats”, “Chat History” and
selecting either “Clear all chats” or “Delete all chats”. Go back to
the file manager and observe the media files still being present.

As the next step, uninstall WhatsApp. Go back to the file manager, and
observe the media files still being there.

All testing was done on Android 7, and WhatsApp Messenger v2.17.146.
It is unclear whether other platforms are affected.

VENDOR RESPONSE AND MITIGATION STEPS

The vendor (Facebook) doesn’t consider these to be security issues and
has no plans to fix them. Vendor response is as follows:

---
Thanks again for your report. We contacted the WhatsApp team about
your report, and they confirmed that the behavior you describe is
intentional. They designed the Android app to optimize for the storage
space available on devices and allow media in WhatsApp to be visible
in other apps like the Google Photos gallery. WhatsApp doesn’t assume
that clearing the chat means clearing the media files as well. While
the behavior might change in the future, we currently don’t have any
plans to do so.
---

The vendor also noted that on Windows Phone, there is a setting that
stops the application from saving media files that are received by the
user.

It is recommended that users regularly check the folders listed above
on the SD card and empty them as needed. For those users who desire
higher security, it may be prudent to reformat or encrypt the SD card,
or destroy the SD card if needed in order to delete these files.

UPDATE: 09/06/2017 – a recent update to WhatsApp for Android now
displays an option to delete media files when deleting chats and that
option is checked by default. The change to the UI mitigates the
issues discussed in this advisory. Users are encouraged to update to
v2.16.323 or later.

New response from the vendor:

>> We published on this back in May. It looks like that the most recent version of WhatsApp for Android adds a mitigation for this issue. Can you confirm?

Yes, The WhatsApp team indeed added a background job to clear media.

REFERENCES

CVE ID: CVE-2017-8769
CWE IDs: CWE-359 (“Exposure of Private Information”)
Facebook security reference # 10101277738643365

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-04-09: Initial report to Facebook
2017-04-14: Email exchange with the vendor
2017-04-20: Email exchange with the vendor
2017-04-03: Email exchange with the vendor
2017-05-09: Email exchange with the vendor
2017-05-16: Email exchange with the vendor
2017-05-17: Email exchange with the vendor
2017-05-17: Public disclosure
2017-09-06: Updated with details of the new UI changes in the Android
app that mitigate these issues
2017-09-11: Email exchange with the vendor

Login or Register to add favorites

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    1 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    21 Files
  • 27
    Jul 27th
    8 Files
  • 28
    Jul 28th
    9 Files
  • 29
    Jul 29th
    12 Files
  • 30
    Jul 30th
    9 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close