This week’s Knowledge Update discusses a possible flaw in WhatsApp, a data breach in a toy firm and an exploit discovered in Google Drive.
Research has claimed WhatsApp’s group messaging feature can be compromised.
A research team released a paper last week, claiming the group messaging feature in WhatsApp can be compromised. With control over a WhatsApp server, an attacker can act as the “Admin” of an encrypted group chat and manipulate user activity- without the presence of a new member being discovered. Matthew Green mentioned in a blog “The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server”.
However, WhatsApp and Moxie Marlinspike (the developer of Signal, the messaging technology WhatsApp is based on) argue researchers have got it wrong, as they release a statement saying “We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group.” Not only that, the encryption prevents an attacker from viewing past group messages because they do not have access to the encryption key.
The researchers have proposed fixes, such as requiring Signal and WhatsApp to ensure management messages are signed by group administrators only. WhatsApp declined to say if the fixes are being considered.
Be vigilant of unusual activity when using WhatsApp. Keep an eye out for new software that may be released to patch potential flaws. Antivirus is also available for your mobile devices, to enhance security.
Toy firm VTech fined $650,000 over data breach
VTech will have to pay $650,000 (£480,000) to settle charges that it failed to protect children’s privacy whilst using its gadgets. Whilst the US Federal Trade Commission (FTC) were investigating the breach it had found that VTech had broken US laws governing the way data about children is gathered. The FTC had also said that VTech “failed to take responsible steps” to secure their data.
The implementation of the General Data Protection Act this year will increase the requirements for companies in protecting children’s data. Also, it will be mandatory for organisations to notify of data breaches that risk harm to individuals. Information on GDPR and how it could affect your business can be found here.
Google Drive exploited to download malware directly from URL
A vulnerability has emerged that allows hackers to automatically download malware to a victim’s computer directly from a Google Drive URL.
Proofpoint uncovered the vulnerability and created a proof-of-concept exploit for the issue, which exists in the Google Apps Script. The development platform is based on JavaScript and allows the creation of both standalone web apps and extensions to various elements of the Google Apps SaaS ecosystem. Unfortunately, the normal document-sharing capabilities built into Google Apps can be manipulated to support automatic malware downloads, the firm said.
It works like this: After uploading malicious files or malware executables on Google Drive, bad actors could create a public link and share an arbitrary Google Doc as a lure in sophisticated social engineering schemes, designed to convince recipients to execute the malware once it has been downloaded. Proofpoint researchers also confirmed that it was possible to trigger exploits without user interaction.
Anti-virus software should be installed on your device and automatic updates should be enabled. Anti-virus software’s can be used to detect and remove malware from your corporate networks. Learn about how best to protect your small business with the National Cyber Security Centre small business videos found here.
Read more.
