Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WeChat IM Application Could Disclose Your Password To Attackers

Soulskill posted about a year ago | from the conveniently-facilitates-account-sharing dept.

Security 49

New submitter soulflyz writes "Security researchers found some security issues in WeChat, a popular instant messaging application developed by the Chinese company Tencet. By exploiting these vulnerabilities, any other application installed on the user's phone can force WeChat to send the user's password hash (in plain MD5 format) to an external web server, controlled by the attacker. Android versions of WeChat up to 4.5.1 are confirmed to be vulnerable, but similar issues could interest also other versions of the application. According to recent statistics, WeChat should have about 300 million registered users."

Sorry! There are no comments related to the filter you selected.

WeChat has a password? (4, Funny)

Anonymous Coward | about a year ago | (#44880169)

I've been using wechat for over a year on two phones and had no idea that I had a password.

Re:WeChat has a password? (1)

Anonymous Coward | about a year ago | (#44880275)

Not only does WeChat have a password, but every other app on your phone has that password too.

Re:WeChat has a password? (0)

Anonymous Coward | about a year ago | (#44881127)

You can setup a password in case you lose access to your phone number or intentionally change phone numbers. It's also used for other things too, but I don't remember.

witches (0, Funny)

Anonymous Coward | about a year ago | (#44880191)

God damn, it's the fucken middle ages. nothing but crazy ass fears of fraud and cons and hacker and trojens and so much ignorance and fears and crazy crazy tin-foil hat

my husband turned into a frog cause I haven't seen him

everybody is a basket case. they misclick and think their computer is hijacked by the FSB. Crazy-ass thinking. Chilll. Who's creating all this hysteria? The trusted companies who are refuge stand to benefit. The fucken CIA is evil fuckers.

Re:witches (0)

Anonymous Coward | about a year ago | (#44880241)

Tell that to my brother, you uncaring coward - he just lost USD$17K from online banking identity theft. Twice.

Re:witches (0)

Anonymous Coward | about a year ago | (#44880535)

no he didnt STFU

Re:witches (0)

Anonymous Coward | about a year ago | (#44880647)

You don't write so good.

Re:witches (0)

Anonymous Coward | about a year ago | (#44881937)

So well. You don't write so well.

Vulnerability Reports != News (1)

emBEDed (3013359) | about a year ago | (#44880291)

Seriously? Is every individual vulnerability in any piece of software going to make it on here now?

The fact it makes news is relevent (0)

Anonymous Coward | about a year ago | (#44880439)

If it didn't make news then it had been sold as an exploit to NSA. If it makes news then it failed to sell. So 'newsworthy' is important.

I'm happy this is public and disclosed because now it can be fixed.

Re:Vulnerability Reports != News (1)

AHuxley (892839) | about a year ago | (#44880449)

Yes, slowly security researches world wide will move up the device, apps, software, freeware, open source lists.
No longer will they trust any person saying its 'safe' based on their past work or having worked on a project for a few years++.
No longer will they trust any education institution saying its 'safe' based on academic work for a few years+.
No longer will they trust any company saying its 'safe' based on 'open source' work for a few years+.
A lot of skilled coders are now looking back at all hard work they have done and seen what 'weak' contributions by people have done to their reputation.

MD5? (1)

Anonymous Coward | about a year ago | (#44880309)

They should use SRP (Secure Remote Password). [wikipedia.org]

If they don't want to bother with something good (like SRP), they should at least drop in SCrypt in place of MD5. Using MD5 these days for anything secure is stupid.

Re:MD5? (2)

bmo (77928) | about a year ago | (#44880567)

It's only a chat.

The problem is sharing passwords, not the password method.

I have a registered nick with rizon's nickserv. This means it has a password. It's just there to keep people from stomping on my name, that's it (as it should be in a *chat*) and the password is transmitted in plain text and probably stored that way.

Do I give two shits whether someone sees it or swipes it? No, not particularly, because I don't use the same password anywhere else and all "they" are going to get is my nick. BFD.

--
BMO

Re:MD5? (0)

Anonymous Coward | about a year ago | (#44880837)

Proper use of SRP makes you a lot more secure in the case of password sharing than simple hashes. It also resists replay attacks, and phishing schemes (assuming the client side software isn't crap, like say, a web browser.

Salting helps a too, and so would a better hash function.

Re:MD5? (1)

cbhacking (979169) | about a year ago | (#44881921)

SRP has a huge problem, though: there's no really good way to handle registration. In theory, SRP is great; a way to securely (in every way that matters) verify that two parties have the same password for a user even over a completley insecure network. In practice, it gets used very little because if you've solved the key distribution problem - that is, if you have a way to *get* that password to both parties, securely - then you've also solved the issue of securely logging in (in almost every situation). For basically every online service, the requirement that the user be able to establish an account / password remotely means that they're already using TLS, at which point the greatest advantage of SRP - the ability to use it over an insecure network - becomes irrelevant. If TLS isn't secure, it's too late already. If it is, then just use it; there's no meaningful advantage to SRP at that point.

Re:MD5? (1)

philip.paradis (2580427) | about a year ago | (#44880945)

all "they" are going to get is my nick. BFD.

It's not a BFD until someone uses your nick and probably a good chunk of your chat history to produce communications that damage you or someone else via dirt simple social engineering. Also, in considering only your own case, you're failing to recognize the larger impact that might be experienced by others. That's okay, just keep going with your snide dismissal of gaping holes in service infrastructure. I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now.

Re:MD5? (1)

bmo (77928) | about a year ago | (#44883785)

>It's not a BFD until someone uses your nick and probably a good chunk of your chat history

It's IRC

There is no "chat history" except what is kept locally. This is how it should be.

. I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now

I've thought about it too, and I've come to the conclusion that my nick is disposable.

--
BMO

Look, listen, learn about the culture of swing (-1)

Anonymous Coward | about a year ago | (#44880323)

Givens:

Chinese know shit about secure anything.

Software and Chinese? Have you ever seen anyone code in Chinese? No! Code is always in American. How can you expect Chinese to code? You can't. No more than you can expect an American to write Chinese, backwards, on a 5150 keyboard. Just can't be done.

no dead babies here (0)

Anonymous Coward | about a year ago | (#44880387)

At least WeChat doesn't have lead in it.

Re:no dead babies here (1)

viperidaenz (2515578) | about a year ago | (#44880585)

But how much MSG is in WeChat?

Re:no dead babies here (0)

Anonymous Coward | about a year ago | (#44880827)

Yeah but you still get hungry again five minutes after eating.

Re:Look, listen, learn about the culture of swing (0)

Anonymous Coward | about a year ago | (#44880703)

That's funny, just like what a stupid narrow minded American would write! Now do the Brittish!

Re:Look, listen, learn about the culture of swing (0)

Anonymous Coward | about a year ago | (#44880755)

Chinese know shit about secure anything.

According to Edward Snowden, neither does any American.

Software and Chinese? Have you ever seen anyone code in Chinese? No! Code is always in American. How can you expect Chinese to code? You can't.

"300 million users" begs to differ.

Never heard of it! (1)

bogaboga (793279) | about a year ago | (#44880435)

We*What? WeChat! Well, I use GoSMS [google.com]

Ohh wiat, it too, has Asian origins. Anyone see a trend here? I see one.

Deliberate? (1)

kLimePie (3031053) | about a year ago | (#44880533)

Maybe this is a backdoor.

uChat? WeJail! (1)

aNonnyMouseCowered (2693969) | about a year ago | (#44880699)

I won't be surprised if the Chinese government is doing what the governments of all other large countries are doing, spying on its own citizens.

Re:uChat? WeJail! (1)

Desler (1608317) | about a year ago | (#44880725)

Why would you have been surprised? Never heard of the Great Firewall of China?

Re:uChat? WeJail! (1)

cdrudge (68377) | about a year ago | (#44882245)

I thought the Great Firewall of China was keeping all the evil out of China. You know, the NSA, GCHQ, etc.

Re:Never heard of it! (1)

TrollstonButterbeans (2914995) | about a year ago | (#44880719)

Is the trend you see security related? Or attention-getting related?

I care about security and I can't tell if you are saying GoSMS has similar problems --- I guess I'm saying I'm not 100% where you are headed with this ...

Me chinese, me make joke (0)

JoeyRox (2711699) | about a year ago | (#44880503)

Me upload your unprotected password to a 3rd-party website and hope you use that same password for your online banking so that we can steal funds from your accounts.

Oh, and we put peepee in your coke.

*Tencent (3, Informative)

poity (465672) | about a year ago | (#44880525)

with 2 'N's
Same company that developes QQ

Re:*Tencent (2)

flood78 (2511510) | about a year ago | (#44880711)

Yes, exactly like "10 cents"... you know the company worth billion of dollars?!

Wait a minute (2)

viperidaenz (2515578) | about a year ago | (#44880579)

For this to be exploited, the attacker already successfully installed their own software on your phone.
Your WeChat password hash should be the least of your concerns at this point.

Re:Wait a minute (0)

Anonymous Coward | about a year ago | (#44880673)

Some say asian girls are demanding, but now I get why all those "hot asian girls"-apps demand so many permissions!

Re:Wait a minute (-1)

Anonymous Coward | about a year ago | (#44880709)

Other than the tight pussies Asian bitches just aint worth the efffort.

Re:Wait a minute (1)

TrollstonButterbeans (2914995) | about a year ago | (#44880737)

Most of the easily exploited software on Android that is poorly written is supplied by AT&T, Verizon or T-Mobile and can't be uninstalled.

On Android with these US carriers, I never know if a "malware" looking abusive feature was supplied by the phone company or if my phone got infected with something.

Which is scary, because I think all the "malware looking crap" on my phone was supplied by the mobile carrier and isn't actually "malware" but intentional crapware meant to ruin my experience (but not on purpose, just the carrier chasing advert and annoyance dollars --- disgustingly enough) ...

Re:Wait a minute (1)

viperidaenz (2515578) | about a year ago | (#44881275)

http://get.cm/ [get.cm]

Re:Wait a minute (1)

TrollstonButterbeans (2914995) | about a year ago | (#44882177)

Thanks for the link. I'm thinking hard about installing it ...

Re:Wait a minute (1)

blueg3 (192743) | about a year ago | (#44880819)

already successfully installed their own software on your phone

No, they're just able to execute code on your phone (in the context of some piece of software installed on your phone). There are plenty of approaches to remote code execution that are not the same as installing.

should be the least of your concerns at this point

While more or less true, vulnerabilities that enable you to do something dangerous with remote code execution capabilities are a major class of vulnerability. Just executing code in the context of some arbitrary application on the phone isn't necessarily very useful until you can do something evil with it.

Re:Wait a minute (1)

cbhacking (979169) | about a year ago | (#44881943)

The "on the phone" and "in the context of some arbitrary application" points are the big ones, here. On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already. That is *slowly* changing - between UAC on Windows, browsers getting sandboxes, and the various sandboxed app stores for PC operating systems, it's better than it was - but in general, people still often really aren't that interested in exploits that already require code execution. Phone OSes, on the other hand, were built with sandboxing in mind from the start, and do not expect the attacker to be able to attack other apps. When that's possible, especially when it's something that the attacker may be able to use for other purposes (like a password, which is frequently re-used elsewhere), that is a threat.

With that said, I agree, this is serious slow-news-day grade of /. post. I mean, I'm a security guy and generally quite interested in this stuff, and all I could register out of it was a rather bored "ho, hum, I wonder if they'd hire us for a security review...?"

Re:Wait a minute (1)

blueg3 (192743) | about a year ago | (#44882871)

On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already.

I think that really depends on the PC. If it's a regular consumer PC, that's a couple of the reasons. There are more. Regular consumer PCs are almost entirely single-user machines on uninteresting networks. The major benefit to hacking a consumer PC is obtaining the user's data, which is naturally available in a user context (because of poor sandboxing).

Plenty of PCs, though, are more serious machines with multiple users, on interesting networks, or otherwise useful for long-term compromise. Long-term compromise, and doing other interesting things, really requires privilege escalation. Sure, there are lots of privilege-escalation vulnerabilities in desktop operating systems, but they keep getting fixed, so having them is actually relevant.

people still often really aren't that interested in exploits that already require code execution

I disagree. Privilege-escalation vulnerabilities are still pretty popular, just not as broadly applicable as remote code execution vulnerabilities.

Phone OSes, on the other hand, were built with sandboxing in mind from the start, and do not expect the attacker to be able to attack other apps.

That's the major interesting thing about this: that compromise of one app can cause the WeChat app to disclose potentially-sensitive data.

Proprietary Chinese software (0)

Anonymous Coward | about a year ago | (#44881083)

Yeah, sounds like the pinnacle of security...

MD5 is not "plain" (1)

bickerdyke (670000) | about a year ago | (#44881445)

it might be weak, or alreadyy broken, but by definition it is not "plain"

Re:MD5 is not "plain" (2)

cbhacking (979169) | about a year ago | (#44881951)

Close enough. The fastest and easist way to crack MD5 is actually absurdly easy: do a Google search for the digest. It works shockingly often (partially because Google has indexed a bunch of password dumps, effectively acting as a huge rainbow table for us). A completely unsalted MD5 password can be broken in a fraction of a second, almost guaranteed.

I mean, from a really pedantic point of view, you're right... but from a real-world one, not really. MD5 as a password verifier is only slightly more secure than rot13 at this point.

Clearly they should check their email (2)

RobertinXinyang (1001181) | about a year ago | (#44881447)

This is in the article
"We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

Re:Clearly they should check their email (2)

sociocapitalist (2471722) | about a year ago | (#44882089)

This is in the article
"We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

Or they might just be ignoring you :-)

an app of chinese origin has a nasty exploit. (0)

Anonymous Coward | about a year ago | (#44883273)

hmm.. imagine that. china not really any different than the good ol' us of a in that regard.

This is why I use Windows Phone (0)

Anonymous Coward | about a year ago | (#44883303)

Android security is a joke.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?