Slashdot Mirror

← Back to Stories (view on slashdot.org)

WeChat IM Application Could Disclose Your Password To Attackers

Posted by Soulskill on from the conveniently-facilitates-account-sharing dept.

New submitter soulflyz writes "Security researchers found some security issues in WeChat, a popular instant messaging application developed by the Chinese company Tencet. By exploiting these vulnerabilities, any other application installed on the user's phone can force WeChat to send the user's password hash (in plain MD5 format) to an external web server, controlled by the attacker. Android versions of WeChat up to 4.5.1 are confirmed to be vulnerable, but similar issues could interest also other versions of the application. According to recent statistics, WeChat should have about 300 million registered users."

30 of 49 comments (clear)

  1. WeChat has a password? by Anonymous Coward · · Score: 4, Funny

    I've been using wechat for over a year on two phones and had no idea that I had a password.

    1. Re:WeChat has a password? by Anonymous Coward · · Score: 1

      Not only does WeChat have a password, but every other app on your phone has that password too.

  2. Vulnerability Reports != News by emBEDed · · Score: 1

    Seriously? Is every individual vulnerability in any piece of software going to make it on here now?

    --
    Keyboard Error: No keyboard detected. Press any key to continue...
    1. Re:Vulnerability Reports != News by AHuxley · · Score: 1

      Yes, slowly security researches world wide will move up the device, apps, software, freeware, open source lists.
      No longer will they trust any person saying its 'safe' based on their past work or having worked on a project for a few years++.
      No longer will they trust any education institution saying its 'safe' based on academic work for a few years+.
      No longer will they trust any company saying its 'safe' based on 'open source' work for a few years+.
      A lot of skilled coders are now looking back at all hard work they have done and seen what 'weak' contributions by people have done to their reputation.

      --
      Domestic spying is now "Benign Information Gathering"
  3. MD5? by Anonymous Coward · · Score: 1

    They should use SRP (Secure Remote Password).

    If they don't want to bother with something good (like SRP), they should at least drop in SCrypt in place of MD5. Using MD5 these days for anything secure is stupid.

    1. Re:MD5? by bmo · · Score: 2

      It's only a chat.

      The problem is sharing passwords, not the password method.

      I have a registered nick with rizon's nickserv. This means it has a password. It's just there to keep people from stomping on my name, that's it (as it should be in a *chat*) and the password is transmitted in plain text and probably stored that way.

      Do I give two shits whether someone sees it or swipes it? No, not particularly, because I don't use the same password anywhere else and all "they" are going to get is my nick. BFD.

      --
      BMO

    2. Re:MD5? by philip.paradis · · Score: 1

      all "they" are going to get is my nick. BFD.

      It's not a BFD until someone uses your nick and probably a good chunk of your chat history to produce communications that damage you or someone else via dirt simple social engineering. Also, in considering only your own case, you're failing to recognize the larger impact that might be experienced by others. That's okay, just keep going with your snide dismissal of gaping holes in service infrastructure. I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now.

      --
      Write failed: Broken pipe
    3. Re:MD5? by cbhacking · · Score: 1

      SRP has a huge problem, though: there's no really good way to handle registration. In theory, SRP is great; a way to securely (in every way that matters) verify that two parties have the same password for a user even over a completley insecure network. In practice, it gets used very little because if you've solved the key distribution problem - that is, if you have a way to *get* that password to both parties, securely - then you've also solved the issue of securely logging in (in almost every situation). For basically every online service, the requirement that the user be able to establish an account / password remotely means that they're already using TLS, at which point the greatest advantage of SRP - the ability to use it over an insecure network - becomes irrelevant. If TLS isn't secure, it's too late already. If it is, then just use it; there's no meaningful advantage to SRP at that point.

      --
      There's no place I could be, since I've found Serenity...
    4. Re:MD5? by bmo · · Score: 1

      >It's not a BFD until someone uses your nick and probably a good chunk of your chat history

      It's IRC

      There is no "chat history" except what is kept locally. This is how it should be.

      . I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now

      I've thought about it too, and I've come to the conclusion that my nick is disposable.

      --
      BMO

  4. hunter2 by Mr.+Sketch · · Score: 1

    Queue all the hunter2 jokes: http://www.bash.org/?244321

    --
    Things you think are in the Constitution, but are not.
  5. Never heard of it! by bogaboga · · Score: 1

    We*What? WeChat! Well, I use GoSMS

    Ohh wiat, it too, has Asian origins. Anyone see a trend here? I see one.

    1. Re:Never heard of it! by TrollstonButterbeans · · Score: 1

      Is the trend you see security related? Or attention-getting related?

      I care about security and I can't tell if you are saying GoSMS has similar problems --- I guess I'm saying I'm not 100% where you are headed with this ...

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  6. *Tencent by poity · · Score: 3, Informative

    with 2 'N's
    Same company that developes QQ

    --
    your thin skin doesn't make me a troll
    1. Re:*Tencent by flood78 · · Score: 1

      Yes, exactly like "10 cents"... you know the company worth billion of dollars?!

  7. Deliberate? by kLimePie · · Score: 1

    Maybe this is a backdoor.

  8. Wait a minute by viperidaenz · · Score: 2

    For this to be exploited, the attacker already successfully installed their own software on your phone.
    Your WeChat password hash should be the least of your concerns at this point.

    1. Re:Wait a minute by TrollstonButterbeans · · Score: 1

      Most of the easily exploited software on Android that is poorly written is supplied by AT&T, Verizon or T-Mobile and can't be uninstalled.

      On Android with these US carriers, I never know if a "malware" looking abusive feature was supplied by the phone company or if my phone got infected with something.

      Which is scary, because I think all the "malware looking crap" on my phone was supplied by the mobile carrier and isn't actually "malware" but intentional crapware meant to ruin my experience (but not on purpose, just the carrier chasing advert and annoyance dollars --- disgustingly enough) ...

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    2. Re:Wait a minute by blueg3 · · Score: 1

      already successfully installed their own software on your phone

      No, they're just able to execute code on your phone (in the context of some piece of software installed on your phone). There are plenty of approaches to remote code execution that are not the same as installing.

      should be the least of your concerns at this point

      While more or less true, vulnerabilities that enable you to do something dangerous with remote code execution capabilities are a major class of vulnerability. Just executing code in the context of some arbitrary application on the phone isn't necessarily very useful until you can do something evil with it.

    3. Re:Wait a minute by viperidaenz · · Score: 1

      http://get.cm/

    4. Re:Wait a minute by cbhacking · · Score: 1

      The "on the phone" and "in the context of some arbitrary application" points are the big ones, here. On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already. That is *slowly* changing - between UAC on Windows, browsers getting sandboxes, and the various sandboxed app stores for PC operating systems, it's better than it was - but in general, people still often really aren't that interested in exploits that already require code execution. Phone OSes, on the other hand, were built with sandboxing in mind from the start, and do not expect the attacker to be able to attack other apps. When that's possible, especially when it's something that the attacker may be able to use for other purposes (like a password, which is frequently re-used elsewhere), that is a threat.

      With that said, I agree, this is serious slow-news-day grade of /. post. I mean, I'm a security guy and generally quite interested in this stuff, and all I could register out of it was a rather bored "ho, hum, I wonder if they'd hire us for a security review...?"

      --
      There's no place I could be, since I've found Serenity...
    5. Re:Wait a minute by TrollstonButterbeans · · Score: 1

      Thanks for the link. I'm thinking hard about installing it ...

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    6. Re:Wait a minute by blueg3 · · Score: 1

      On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already.

      I think that really depends on the PC. If it's a regular consumer PC, that's a couple of the reasons. There are more. Regular consumer PCs are almost entirely single-user machines on uninteresting networks. The major benefit to hacking a consumer PC is obtaining the user's data, which is naturally available in a user context (because of poor sandboxing).

      Plenty of PCs, though, are more serious machines with multiple users, on interesting networks, or otherwise useful for long-term compromise. Long-term compromise, and doing other interesting things, really requires privilege escalation. Sure, there are lots of privilege-escalation vulnerabilities in desktop operating systems, but they keep getting fixed, so having them is actually relevant.

      people still often really aren't that interested in exploits that already require code execution

      I disagree. Privilege-escalation vulnerabilities are still pretty popular, just not as broadly applicable as remote code execution vulnerabilities.

      Phone OSes, on the other hand, were built with sandboxing in mind from the start, and do not expect the attacker to be able to attack other apps.

      That's the major interesting thing about this: that compromise of one app can cause the WeChat app to disclose potentially-sensitive data.

  9. Re:no dead babies here by viperidaenz · · Score: 1

    But how much MSG is in WeChat?

  10. uChat? WeJail! by aNonnyMouseCowered · · Score: 1

    I won't be surprised if the Chinese government is doing what the governments of all other large countries are doing, spying on its own citizens.

    1. Re:uChat? WeJail! by Desler · · Score: 1

      Why would you have been surprised? Never heard of the Great Firewall of China?

    2. Re:uChat? WeJail! by cdrudge · · Score: 1

      I thought the Great Firewall of China was keeping all the evil out of China. You know, the NSA, GCHQ, etc.

  11. MD5 is not "plain" by bickerdyke · · Score: 1

    it might be weak, or alreadyy broken, but by definition it is not "plain"

    --
    bickerdyke
    1. Re:MD5 is not "plain" by cbhacking · · Score: 2

      Close enough. The fastest and easist way to crack MD5 is actually absurdly easy: do a Google search for the digest. It works shockingly often (partially because Google has indexed a bunch of password dumps, effectively acting as a huge rainbow table for us). A completely unsalted MD5 password can be broken in a fraction of a second, almost guaranteed.

      I mean, from a really pedantic point of view, you're right... but from a real-world one, not really. MD5 as a password verifier is only slightly more secure than rot13 at this point.

      --
      There's no place I could be, since I've found Serenity...
  12. Clearly they should check their email by RobertinXinyang · · Score: 2

    This is in the article
    "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

    This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

    1. Re:Clearly they should check their email by sociocapitalist · · Score: 2

      This is in the article
      "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

      This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

      Or they might just be ignoring you :-)

      --
      blindly antisocialist = antisocial