Akamai Diversity

The Akamai Blog

#ShmooCon, Day 2: Instant Messaging Insecurity

At Akamai, one of our security policies goes something like this: If you want to do instant messaging for personal matters, use whatever you want. If you want to discuss company business on IM, however, you have to use a specialized instant messaging program we've set up specifically for communication between colleagues.

A talk I attended at ShmooCon this morning illustrated why it's so important.

Focusing on programs such as WhatsApp and Snapchat, security researchers Jaime Sanchez and Pablo San Emeterio walked the audience through a series of weaknesses attackers could easily exploit. They ran through a series of demos demonstrating how the unscrupulous could steal user identities, engage in cyber stalking, shotgun spam and engage in some serious DDoSing.

Common weaknesses include poor encryption or none at all, use of plaintext, etc.

Snapchat, a mobile app for iPhone and Android phones that specializes in the sharing of pictures and video, boasts 100 million users and some 400 million snaps shared per day. The researchers demonstrated how content can be saved and reopened in Snapchat without the sender realizing it. They also noted that the app is notorious for spam and denials of service, which they referred to as a "SnapCrash."

WhatsApp is the largest messaging app in Brazil, South America and Indonesia, the researchers noted. It also has weak encryption, data is sent and received in plaintext and is therefore easy prey for sniffers, and it can be used to store malware.

In fact, an unknown hacker created the website Whatsappstatus.net, where the status of a WhatsApp user can be changed as long as a phone number is listed. No authorization is required to send messages. Any user can contact you and bots can easily be created to spam you.

The researchers did outline steps people can take to use these apps more securely. 

Specifically, they showed the audience a tool they developed to provide different protection layers, more ironclad encryption, anonymity, and the use of a custom XMPP server.

Weaknesses in instant messaging programs are hardly new. I remember writing about it all the time in 2004 and 2005. But this talk was important for demonstrating how the same problems keep showing up in new apps.