Slashdot Mirror

← Back to Stories (view on slashdot.org)

WeChat IM Application Could Disclose Your Password To Attackers

Posted by Soulskill on from the conveniently-facilitates-account-sharing dept.

New submitter soulflyz writes "Security researchers found some security issues in WeChat, a popular instant messaging application developed by the Chinese company Tencet. By exploiting these vulnerabilities, any other application installed on the user's phone can force WeChat to send the user's password hash (in plain MD5 format) to an external web server, controlled by the attacker. Android versions of WeChat up to 4.5.1 are confirmed to be vulnerable, but similar issues could interest also other versions of the application. According to recent statistics, WeChat should have about 300 million registered users."

7 of 49 comments (clear)

  1. WeChat has a password? by Anonymous Coward · · Score: 4, Funny

    I've been using wechat for over a year on two phones and had no idea that I had a password.

  2. *Tencent by poity · · Score: 3, Informative

    with 2 'N's
    Same company that developes QQ

    --
    your thin skin doesn't make me a troll
  3. Re:MD5? by bmo · · Score: 2

    It's only a chat.

    The problem is sharing passwords, not the password method.

    I have a registered nick with rizon's nickserv. This means it has a password. It's just there to keep people from stomping on my name, that's it (as it should be in a *chat*) and the password is transmitted in plain text and probably stored that way.

    Do I give two shits whether someone sees it or swipes it? No, not particularly, because I don't use the same password anywhere else and all "they" are going to get is my nick. BFD.

    --
    BMO

  4. Wait a minute by viperidaenz · · Score: 2

    For this to be exploited, the attacker already successfully installed their own software on your phone.
    Your WeChat password hash should be the least of your concerns at this point.

  5. Clearly they should check their email by RobertinXinyang · · Score: 2

    This is in the article
    "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

    This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

    1. Re:Clearly they should check their email by sociocapitalist · · Score: 2

      This is in the article
      "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

      This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

      Or they might just be ignoring you :-)

      --
      blindly antisocialist = antisocial
  6. Re:MD5 is not "plain" by cbhacking · · Score: 2

    Close enough. The fastest and easist way to crack MD5 is actually absurdly easy: do a Google search for the digest. It works shockingly often (partially because Google has indexed a bunch of password dumps, effectively acting as a huge rainbow table for us). A completely unsalted MD5 password can be broken in a fraction of a second, almost guaranteed.

    I mean, from a really pedantic point of view, you're right... but from a real-world one, not really. MD5 as a password verifier is only slightly more secure than rot13 at this point.

    --
    There's no place I could be, since I've found Serenity...