Hi Folks!

4 years ago 181
BOOK THIS SPACE FOR AD
ARTICLE AD

Hi Folks!

Recently I uncovered a bug in WhatsApp “Improper Implementation of My Status video time limit in WhatsApp”.Unfortunately, Facebook stated that We have no way to tell on the server side that the video is long due to end-to-end encryption”

As a security professional, I am posting this bug for User Awareness!

Improper Implementation of My Status video time limit in WhatsApp

It was observed that My Status video time limit feature in WhatsApp was not implemented adequately. This result in application vulnerable to privacy violation issue.

Scenario 1:The end users can view the full length of the video instead of 30 seconds without the knowledge of the victim. It can lead to misuse of video (e.g. malicious user can send the data/video across multiple platforms to multiple users which the victim does not intent to do so.)

Step 1: Login as a “user A” and noted the version of WhatsApp installed in Android device is “2.20.195.17” which is the latest version as on date.

Image for post

Image for post

Step 2: Select the respective video from the “chats” and forward it to “My Status”.

Image for post

Image for post

Image for post

Image for post

Step 3: Observe pop-up message stating “Videos sent to My Status will be trimmed to the first 30 seconds”.

Image for post

Image for post

Step 4: Video has been successfully shared at “My Status” and “user A” can view only the first 30 seconds of the video.

Image for post

Image for post

Step 5: Now login as a “user B” with another device and noted the version of WhatsApp installed in Android device is “2.20.195.17” which is the latest version as on date.

Image for post

Image for post

Step 6: Click on the status shared by “user A”.

Image for post

Image for post

Step 7: “User B” can view only the first 30 seconds of the video as shared by “user A”.

Image for post

Image for post

Step 8: Navigate to the Gallery (/storage/emulated/0/WhatsApp/Media/.Statuses) and observe the full length of the video.(user A has shared only the first 30 seconds of the video as shown in the above steps). Hence, a user B can send the data/video across multiple platforms to multiple users which a user A does not intent to do so.

Image for post

Image for post

Image for post

Image for post

Scenario 2: A victim (user A) can share his/her “My Status” video of 30 seconds to Facebook or forward/share to other contact knowing that it is only of 30 seconds, but the content which is being received by recipients is of full length.

Step 1: Repeat above scenario 1 steps 1 to 4.

Step 2: Click on forward/share functionality and select the recipients (i.e. user B)

Image for post

Image for post

Image for post

Image for post

Step 3: User A believes that video which is shared to user B is of 30 seconds(video that is showed under My Status is of 30 seconds), but the content which is being received by user B is of full length.

Image for post

Image for post

Step 4: Similarly, a user A can click on “Share to Facebook” functionality and the full length video will be shared to his/her Facebook Story.

Image for post

Image for post

Thank You!

Read Entire Article