Forgot your password?
typodupeerror
Security Communications Software

WeChat IM Application Could Disclose Your Password To Attackers 49

Posted by Soulskill
from the conveniently-facilitates-account-sharing dept.
New submitter soulflyz writes "Security researchers found some security issues in WeChat, a popular instant messaging application developed by the Chinese company Tencet. By exploiting these vulnerabilities, any other application installed on the user's phone can force WeChat to send the user's password hash (in plain MD5 format) to an external web server, controlled by the attacker. Android versions of WeChat up to 4.5.1 are confirmed to be vulnerable, but similar issues could interest also other versions of the application. According to recent statistics, WeChat should have about 300 million registered users."
This discussion has been archived. No new comments can be posted.

WeChat IM Application Could Disclose Your Password To Attackers

Comments Filter:
  • by Anonymous Coward on Tuesday September 17, 2013 @10:11PM (#44880169)

    I've been using wechat for over a year on two phones and had no idea that I had a password.

    • by Anonymous Coward

      Not only does WeChat have a password, but every other app on your phone has that password too.

  • Seriously? Is every individual vulnerability in any piece of software going to make it on here now?
    • by AHuxley (892839)
      Yes, slowly security researches world wide will move up the device, apps, software, freeware, open source lists.
      No longer will they trust any person saying its 'safe' based on their past work or having worked on a project for a few years++.
      No longer will they trust any education institution saying its 'safe' based on academic work for a few years+.
      No longer will they trust any company saying its 'safe' based on 'open source' work for a few years+.
      A lot of skilled coders are now looking back at all hard
  • by Anonymous Coward

    They should use SRP (Secure Remote Password). [wikipedia.org]

    If they don't want to bother with something good (like SRP), they should at least drop in SCrypt in place of MD5. Using MD5 these days for anything secure is stupid.

    • by bmo (77928)

      It's only a chat.

      The problem is sharing passwords, not the password method.

      I have a registered nick with rizon's nickserv. This means it has a password. It's just there to keep people from stomping on my name, that's it (as it should be in a *chat*) and the password is transmitted in plain text and probably stored that way.

      Do I give two shits whether someone sees it or swipes it? No, not particularly, because I don't use the same password anywhere else and all "they" are going to get is my nick. BFD.

      --
      B

      • all "they" are going to get is my nick. BFD.

        It's not a BFD until someone uses your nick and probably a good chunk of your chat history to produce communications that damage you or someone else via dirt simple social engineering. Also, in considering only your own case, you're failing to recognize the larger impact that might be experienced by others. That's okay, just keep going with your snide dismissal of gaping holes in service infrastructure. I've thought about problems like these since about 1994, and given your UID, you too should given some th

        • by bmo (77928)

          >It's not a BFD until someone uses your nick and probably a good chunk of your chat history

          It's IRC

          There is no "chat history" except what is kept locally. This is how it should be.

          . I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now

          I've thought about it too, and I've come to the conclusion that my nick is disposable.

          --
          BMO

  • Queue all the hunter2 jokes: http://www.bash.org/?244321 [bash.org]

  • We*What? WeChat! Well, I use GoSMS [google.com]

    Ohh wiat, it too, has Asian origins. Anyone see a trend here? I see one.

  • Me upload your unprotected password to a 3rd-party website and hope you use that same password for your online banking so that we can steal funds from your accounts.

    Oh, and we put peepee in your coke.
  • *Tencent (Score:4, Informative)

    by poity (465672) on Tuesday September 17, 2013 @11:13PM (#44880525)

    with 2 'N's
    Same company that developes QQ

  • by viperidaenz (2515578) on Tuesday September 17, 2013 @11:24PM (#44880579)

    For this to be exploited, the attacker already successfully installed their own software on your phone.
    Your WeChat password hash should be the least of your concerns at this point.

    • Most of the easily exploited software on Android that is poorly written is supplied by AT&T, Verizon or T-Mobile and can't be uninstalled.

      On Android with these US carriers, I never know if a "malware" looking abusive feature was supplied by the phone company or if my phone got infected with something.

      Which is scary, because I think all the "malware looking crap" on my phone was supplied by the mobile carrier and isn't actually "malware" but intentional crapware meant to ruin my experience (but not on
    • by blueg3 (192743)

      already successfully installed their own software on your phone

      No, they're just able to execute code on your phone (in the context of some piece of software installed on your phone). There are plenty of approaches to remote code execution that are not the same as installing.

      should be the least of your concerns at this point

      While more or less true, vulnerabilities that enable you to do something dangerous with remote code execution capabilities are a major class of vulnerability. Just executing code in the context of some arbitrary application on the phone isn't necessarily very useful until you can do something evil w

      • by cbhacking (979169)

        The "on the phone" and "in the context of some arbitrary application" points are the big ones, here. On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already. That is *slowly* changing - between UAC on Windows, browsers getting sandboxes, and the various sandboxed app stores for PC operating systems, it's better than it was - but in general, people still often really aren

        • by blueg3 (192743)

          On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already.

          I think that really depends on the PC. If it's a regular consumer PC, that's a couple of the reasons. There are more. Regular consumer PCs are almost entirely single-user machines on uninteresting networks. The major benefit to hacking a consumer PC is obtaining the user's data, which is naturally available in a user context (because of poor sandboxing).

          Plenty of PCs, though, are more serious machines with multiple users, on interesting networks, or otherwise useful for long-term compromise. Long-term compr

  • it might be weak, or alreadyy broken, but by definition it is not "plain"

    • by cbhacking (979169)

      Close enough. The fastest and easist way to crack MD5 is actually absurdly easy: do a Google search for the digest. It works shockingly often (partially because Google has indexed a bunch of password dumps, effectively acting as a huge rainbow table for us). A completely unsalted MD5 password can be broken in a fraction of a second, almost guaranteed.

      I mean, from a really pedantic point of view, you're right... but from a real-world one, not really. MD5 as a password verifier is only slightly more secure th

  • by RobertinXinyang (1001181) on Wednesday September 18, 2013 @03:23AM (#44881447)

    This is in the article
    "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

    This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

    • This is in the article
      "We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

      This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

      Or they might just be ignoring you :-)

RADIO SHACK LEVEL II BASIC READY >_

Working...