WeChat IM Application Could Disclose Your Password To Attackers

New submitter soulflyz writes "Security researchers found some security issues in WeChat, a popular instant messaging application developed by the Chinese company Tencet. By exploiting these vulnerabilities, any other application installed on the user's phone can force WeChat to send the user's password hash (in plain MD5 format) to an external web server, controlled by the attacker. Android versions of WeChat up to 4.5.1 are confirmed to be vulnerable, but similar issues could interest also other versions of the application. According to recent statistics, WeChat should have about 300 million registered users."

WeChat has a password?

[Anonymous Coward]

I've been using wechat for over a year on two phones and had no idea that I had a password.

Re:

[Anonymous Coward]

Not only does WeChat have a password, but every other app on your phone has that password too.

Vulnerability Reports != News

[emBEDed]

Seriously? Is every individual vulnerability in any piece of software going to make it on here now?

Re:

[AHuxley]

Yes, slowly security researches world wide will move up the device, apps, software, freeware, open source lists.
No longer will they trust any person saying its 'safe' based on their past work or having worked on a project for a few years++.
No longer will they trust any education institution saying its 'safe' based on academic work for a few years+.
No longer will they trust any company saying its 'safe' based on 'open source' work for a few years+.
A lot of skilled coders are now looking back at all hard

MD5?

[Anonymous Coward]

They should use SRP (Secure Remote Password). [wikipedia.org]

If they don't want to bother with something good (like SRP), they should at least drop in SCrypt in place of MD5. Using MD5 these days for anything secure is stupid.

Re:

[bmo]

It's only a chat.

The problem is sharing passwords, not the password method.

I have a registered nick with rizon's nickserv. This means it has a password. It's just there to keep people from stomping on my name, that's it (as it should be in a *chat*) and the password is transmitted in plain text and probably stored that way.

Do I give two shits whether someone sees it or swipes it? No, not particularly, because I don't use the same password anywhere else and all "they" are going to get is my nick. BFD.

--
B

Re:

[cbhacking]

SRP has a huge problem, though: there's no really good way to handle registration. In theory, SRP is great; a way to securely (in every way that matters) verify that two parties have the same password for a user even over a completley insecure network. In practice, it gets used very little because if you've solved the key distribution problem - that is, if you have a way to *get* that password to both parties, securely - then you've also solved the issue of securely logging in (in almost every situation). F

Re:

[philip.paradis]

all "they" are going to get is my nick. BFD.

It's not a BFD until someone uses your nick and probably a good chunk of your chat history to produce communications that damage you or someone else via dirt simple social engineering. Also, in considering only your own case, you're failing to recognize the larger impact that might be experienced by others. That's okay, just keep going with your snide dismissal of gaping holes in service infrastructure. I've thought about problems like these since about 1994, and given your UID, you too should given some th

Re:

[bmo]

>It's not a BFD until someone uses your nick and probably a good chunk of your chat history

It's IRC

There is no "chat history" except what is kept locally. This is how it should be.

. I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now

I've thought about it too, and I've come to the conclusion that my nick is disposable.

--
BMO

Re:

[viperidaenz]

But how much MSG is in WeChat?

hunter2

[Mr. Sketch]

Queue all the hunter2 jokes: http://www.bash.org/?244321 [bash.org]

Never heard of it!

[bogaboga]

We*What? WeChat! Well, I use GoSMS [google.com]

Ohh wiat, it too, has Asian origins. Anyone see a trend here? I see one.

Deliberate?

[kLimePie]

Maybe this is a backdoor.

uChat? WeJail!

[aNonnyMouseCowered]

I won't be surprised if the Chinese government is doing what the governments of all other large countries are doing, spying on its own citizens.

Re:

[Desler]

Why would you have been surprised? Never heard of the Great Firewall of China?

Re:

[cdrudge]

I thought the Great Firewall of China was keeping all the evil out of China. You know, the NSA, GCHQ, etc.

Re:

[TrollstonButterbeans]

Is the trend you see security related? Or attention-getting related?

I care about security and I can't tell if you are saying GoSMS has similar problems --- I guess I'm saying I'm not 100% where you are headed with this ...

Me chinese, me make joke

[JoeyRox]

Me upload your unprotected password to a 3rd-party website and hope you use that same password for your online banking so that we can steal funds from your accounts.

Oh, and we put peepee in your coke.

*Tencent

[poity]

with 2 'N's
Same company that developes QQ

Re:

[flood78]

Yes, exactly like "10 cents"... you know the company worth billion of dollars?!

Wait a minute

[viperidaenz]

For this to be exploited, the attacker already successfully installed their own software on your phone.
Your WeChat password hash should be the least of your concerns at this point.

Re:

[TrollstonButterbeans]

Most of the easily exploited software on Android that is poorly written is supplied by AT&T, Verizon or T-Mobile and can't be uninstalled.

On Android with these US carriers, I never know if a "malware" looking abusive feature was supplied by the phone company or if my phone got infected with something.

Which is scary, because I think all the "malware looking crap" on my phone was supplied by the mobile carrier and isn't actually "malware" but intentional crapware meant to ruin my experience (but not on

Re:

[viperidaenz]

http://get.cm/ [get.cm]

Re:

[TrollstonButterbeans]

Thanks for the link. I'm thinking hard about installing it ...

Re:

[blueg3]

already successfully installed their own software on your phone

No, they're just able to execute code on your phone (in the context of some piece of software installed on your phone). There are plenty of approaches to remote code execution that are not the same as installing.

should be the least of your concerns at this point

While more or less true, vulnerabilities that enable you to do something dangerous with remote code execution capabilities are a major class of vulnerability. Just executing code in the context of some arbitrary application on the phone isn't necessarily very useful until you can do something evil w

Re:

[cbhacking]

The "on the phone" and "in the context of some arbitrary application" points are the big ones, here. On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already. That is *slowly* changing - between UAC on Windows, browsers getting sandboxes, and the various sandboxed app stores for PC operating systems, it's better than it was - but in general, people still often really aren

Re:

[blueg3]

On a PC, remote arbitrary code execution is usually considered a game-over event, because PC apps are usually not sandboxed and the user running them usually has way too many permissions already.

I think that really depends on the PC. If it's a regular consumer PC, that's a couple of the reasons. There are more. Regular consumer PCs are almost entirely single-user machines on uninteresting networks. The major benefit to hacking a consumer PC is obtaining the user's data, which is naturally available in a user context (because of poor sandboxing).

Plenty of PCs, though, are more serious machines with multiple users, on interesting networks, or otherwise useful for long-term compromise. Long-term compr

MD5 is not "plain"

[bickerdyke]

it might be weak, or alreadyy broken, but by definition it is not "plain"

Re:

[cbhacking]

Close enough. The fastest and easist way to crack MD5 is actually absurdly easy: do a Google search for the digest. It works shockingly often (partially because Google has indexed a bunch of password dumps, effectively acting as a huge rainbow table for us). A completely unsalted MD5 password can be broken in a fraction of a second, almost guaranteed.

I mean, from a really pedantic point of view, you're right... but from a real-world one, not really. MD5 as a password verifier is only slightly more secure th

Clearly they should check their email

[RobertinXinyang]

This is in the article
"We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

Re:

[sociocapitalist]

This is in the article
"We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply."

This is a common problem when dealing with Chinese companies. They are so accustomed to dealing face to face that they forget to check other means of communication. I frequently find that I need to send an SMS to a Chinese person if I have sent them email, asking them to check their email.

Or they might just be ignoring you :-)