Smartphones are frequently replaced by users when newer versions of smartphones with much more features are released.
The exchange of smartphones has a significant complication in transferring data to the new device.
To overcome this problem, Cloning applications were introduced to overcome this problem, which will clone the entire device to the new one.
This includes applications, photos, personal data, mail accounts, and even session data of applications.
However, CloudSEK’s researchers found that many applications do not invalidate or revalidate the session after this data migration to a new device.
Threat actors are aware of this and use this lack of validation with highly privileged migration tools to copy to their devices, which can result in impersonation.
List of Applications that do not Invalidate or revalidate the session cookies.
- Canva
- BookMyShow
- Snapchat
- KhataBook
- Telegram
- Zomato
- Whatsapp business
- Strava
- Highway Drive
- BlinkIT
- Future pay – BigBazaar now owned by Reliance
- Adani One
- Clash of Clans, Clash Royal (Supercell)
- Discord
- Booking.com
As per the migration experiment conducted by CloudSEK, WhatsApp transferred the secret keys to the new device, which resulted in the application not asking for 2FA.
“Researchers conducted an experiment using two Realme devices. After the data was transferred from the victim’s device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account.”
Even though the victim had activated WhatsApp 2FA, it wasn’t asked on the new (attacker’s) device, and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message; you can see the PoC video here.
A threat actor gaining access to this kind of vulnerability can impersonate a person and WhatsApp and send messages on the victim’s behalf.
Once the migration is completed, WhatsApp will receive messages on the device to which the last message was sent.
In such cases, the victims will only be able to know if they log on to Web WhatsApp and look for conversations.
Threat actors can bypass this easily if they delete the messages.
Meta owns WhatsApp. However, the same Meta-owned Instagram did not have this vulnerability, as it logged out all accounts when migrated to a new device.
Impact of this Vulnerability
As these applications do not invalidate or revalidate session cookies, threat actors can manipulate victims into installing Stealer Log malware that records users’ activities and sends them back to their servers which can be used to gain unauthorized access to victims’ accounts.
Once attacker steals the cookies not validated by the applications, they can use anonymous browsers to use stolen cookies resulting in the impersonation of network location and GPS.
Mitigation
- Checking for unusual activity on their accounts and their device
- Keeping the device locked when not in use
- Do not leave the devices in the public places
- Enable Two-factor authentication for the applications.