Recently I uncovered a bug in WhatsApp “Improper Implementation of My Status video time limit in WhatsApp”.Unfortunately, Facebook stated that “We have no way to tell on the server side that the video is long due to end-to-end encryption”
As a Cyber security professional, I am posting this bug for User Awareness!
Improper Implementation of My Status video time limit in WhatsApp
It was observed that My Status video time limit feature in WhatsApp was not implemented adequately. This results in application vulnerable to privacy violation issue.
Scenario 1:The end users can view the full length of the video instead of 30 seconds without the knowledge of the victim. It can lead to misuse of video (e.g. malicious user can send the data/video across multiple platforms to multiple users which the victim does not intent to do so.)
Step 1: Login as a “user A” and noted the version of WhatsApp installed in Android device is “188.8.131.52” which is the latest version as on date.
Step 2: Select the respective video from the “chats” and forward it to “My Status”.
Step 3: Observe pop-up message stating “Videos sent to My Status will be trimmed to the first 30 seconds”.
Step 4: Video has been successfully shared at “My Status” and “user A” can view only the first 30 seconds of the video.
Step 5: Now login as a “user B” with another device and noted the version of WhatsApp installed in Android device is “184.108.40.206” which is the latest version as on date.
Step 6: Click on the status shared by “user A”.
Step 7: From the WhatsApp application UI, “User B” can view only the first 30 seconds of the video as shared by “user A”.
Step 8: On the mobile device of user B, navigate to the Gallery (/storage/emulated/0/WhatsApp/Media/.Statuses) and observe the full length of the video.(user A has shared only the first 30 seconds of the video as shown in the above steps).
Impact (Scenario 1):Hence, the user B can send the data/video across multiple platforms to multiple users which a user A does not intent to do so.
Impact (Scenario 2): A victim (user A) can share his/her “My Status” video of 30 seconds to Facebook or forward/share to other contact knowing that it is only of 30 seconds, but the content which is being received by recipients is of full length.
Step 1: Repeat above scenario 1 steps 1 to 4.
Step 2: Click on forward/share functionality and select the recipients (i.e. user B)
Step 3: User A believes that video which is shared to user B is of 30 seconds(video that is showed under My Status is of 30 seconds), but the content which is being received by user B is of full length.
Step 4: Similarly, a user A can click on “Share to Facebook” functionality and the full length video will be shared to his/her Facebook Story.