Smartphones are frequently replaced by users when newer versions of smartphones with much more features are released.
The exchange of smartphones has a significant complication in transferring data to the new device.
To overcome this problem, Cloning applications were introduced to overcome this problem, which will clone the entire device to the new one.
This includes applications, photos, personal data, mail accounts, and even session data of applications.
However, CloudSEK’s researchers found that many applications do not invalidate or revalidate the session after this data migration to a new device.
Threat actors are aware of this and use this lack of validation with highly privileged migration tools to copy to their devices, which can result in impersonation.
List of Applications that do not Invalidate or revalidate the session cookies.
As per the migration experiment conducted by CloudSEK, WhatsApp transferred the secret keys to the new device, which resulted in the application not asking for 2FA.
“Researchers conducted an experiment using two Realme devices. After the data was transferred from the victim’s device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account.”
Even though the victim had activated WhatsApp 2FA, it wasn’t asked on the new (attacker’s) device, and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message; you can see the PoC video here.
A threat actor gaining access to this kind of vulnerability can impersonate a person and WhatsApp and send messages on the victim’s behalf.
Once the migration is completed, WhatsApp will receive messages on the device to which the last message was sent.
In such cases, the victims will only be able to know if they log on to Web WhatsApp and look for conversations.
Threat actors can bypass this easily if they delete the messages.
Meta owns WhatsApp. However, the same Meta-owned Instagram did not have this vulnerability, as it logged out all accounts when migrated to a new device.
As these applications do not invalidate or revalidate session cookies, threat actors can manipulate victims into installing Stealer Log malware that records users’ activities and sends them back to their servers which can be used to gain unauthorized access to victims’ accounts.
Once attacker steals the cookies not validated by the applications, they can use anonymous browsers to use stolen cookies resulting in the impersonation of network location and GPS.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…