Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label WeChat. Show all posts
WeChat
Chinese App Cyber Security encryption system TLS WeChat

WeChat's Updated Encryption System Prone to Threats for its Users

 




More than a billion people send messages over WeChat and as per a new study recently, it discovered some security flaws in terms of the encryption system. While some applications use end-to-end encryption to prevent secret conversations from being read, WeChat's messages can be viewed by its servers. Researchers now find some vulnerability in WeChat's customised encryption that could leave users vulnerable to threats.


Weakened Encryption in WeChat

Scientists at the Citizen Lab of University of Toronto have established that WeChat is using a variation of the general security protocol named Transport Layer Security, or TLS 1.3. The new version of it is called MMTLS and it is actually made up of another layer of encryption called "Business-layer encryption," which encrypts messages right before they are going to be sent.

While this does mean that there is extra security placed on this system, it does not have weaknesses in the design. The inner Business-layer encryption does not protect critical information, including user IDs and request information. MMTLS also uses predictable patterns of a type of deterministic initialization vectors (IVs) that can lead to compromised encryption security overall.


Missing Forward Secrecy

Another weakness with WeChat's encryption is a lack of "forward secrecy." Forward secrecy helps to secure later communications in cases where old encryption keys are compromised. In the absence of this feature, if the attackers get hold of those encryption keys, they can decrypt old messages, compromising the users' long-term privacy.

Even before 2016, WeChat was employing the Business-layer encryption. This has made WeChat vulnerable to attacks since it had nearly no defences.

With the implementation of MMTLS, security becomes even enhanced with an added layer of protection that is acquired in the process. However, the changes are not yet at extreme conditions expected for the size of users in an app.


Improvements But Still Some Concerns

Though the security has been increased in WeChat, researchers could not break through the encryption layer that is currently used. The new MMTLS layer does hide the older, weaker encryption layer and offers protection from it. Still, the modifications to the protocol of TLS remain a security liability .


Chinese Apps Custom Security Practices

Problems with encryption form part of a broader problem about Chinese apps. Increasingly, app developers in all parts of China do not depend on widely trusted international standards but instead come up with their own custom solutions. For Citizen Lab, this forms a worrisome trend, since their homemade security solutions are nothing close to the generally recognized methods.

For instance, some Chinese apps utilise proprietary processing of DNS hijacking, and many rely on open-source software, as used in the case of Tencent Mars, and thus not all such applications or software will maintain stringent security levels or best practices for security.


WeChat Needs Stronger Encryption

Hence, although WeChat has become far safer lately, it is far from perfect. Users may have weak encryption methods that could expose their private data to possible threats. Such an application with thousands of users worldwide should deploy better standards of encryption to protect conversation among its users.


Read more »
WeChat
Account Hack Australia China Chinese Apps Cyber Security Mobile Apps Security WeChat

How Australia’s Leader Lost Control of His Chinese Social Media Account

 

After Prime Minister Scott Morrison's WeChat account was hacked, a Liberal member of parliament accused the Chinese government of foreign intervention. 

"It is a matter of record that the platform has stopped the Prime Minister's access, while Anthony Albanese's account is still active featuring posts criticising the government," Liberal representative Gladys Liu stated

"In an election year especially, this sort of interference in our political processes is unacceptable, and this matter should be taken extremely seriously by all Australian politicians." 

Liu stated she would stop utilizing her professional and personal WeChat accounts until the platform presented an explanation for the incident as part of her accusations against the Chinese government. 

Several Coalition members have supported Liu's charges and boycott, with Liberal Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security, asking for Opposition Leader Anthony Albanese to boycott WeChat as well. 

The Prime Minister's office is attempting to contact the Chinese government regarding the account hijacking, according to Stuart Robert, the Minister responsible for digital transformation, who told The Today Show on Monday morning. 

"It is odd, and of course, the Prime Minister's office is seeking to connect through to them to work out and get it resolved," Robert said. 

Morrison's WeChat account was apparently changed and he had accessibility issues months ago, according to NewsCorp Australia, with the Prime Minister being unable to access the account at all.

Morrison's account is linked to a Chinese national based in Fujian, according to Australian Strategic Policy Institute senior analyst Fergus Ryan, because WeChat's policies at the time mandated accounts to be linked to the ID of a Chinese national or a business registered in China. 

A Tencent spokesman confirmed to ZDNet on Monday evening that the account was originally registered by a PRC individual, but that it is currently being managed by a technology services organisation. 

"Based on our information, this appears to be a dispute over account ownership -- the account in question was originally registered by a PRC individual and was subsequently transferred to its current operator, a technology services company -- and it will be handled in accordance with our platform rules," the Tencent spokesperson said. 

"Tencent is committed to upholding the integrity of our platform and the security of all users accounts, and we will continue to look into this matter." 

According to ABC News, Morrison's WeChat account was sold to Fuzhou 985 Information Technology in November of last year by the registered owner. 

The Chinese corporation allegedly purchased the social media account since it had roughly 75,000 followers and had no idea it was owned by Morrison. 

WeChat has been subjected to increasing restrictions in China, after being placed on notice last year for gathering more user data than was considered essential while providing services.
Read more »
WeChat
China Chromium Project Patch Fix Technology WeChat

Chinese WeChat Users Targeted by Attackers Using Recent Chromium Bug

 

According to a local security firm, a Chrome exploit published online last week has been weaponized and exploited to target WeChat users in China. 

The malicious links were sent to WeChat users in the attacks. When users clicked the connection via a link, a piece of JavaScript code was launched, which loaded and executed shellcode on their operating systems. 

Threat actors used the recently revealed Chrome exploit to attack WeChat users in China, according to China-based firm Qingteng Cloud Security. The attacks, according to the researchers, were limited to users of the WeChat Windows app. The security firm didn't reveal which of the two proof-of-concept codes released last week were used in the attacks. 

This is because the attackers repurposed proof-of-concept code for two different bugs in the Chromium browser engine, which the WeChat Windows client uses to open and preview links without having to open a separate browser, which was published on Twitter and GitHub last week. The proof of concept code published last week —both of them— allowed attackers to run malicious code inside any Chromium-based browser. 

However, since most web browsers run Chromium in a "hardened mode" where the "sandbox" security protection function helps to prevent malicious code from escaping to the underlying operating system, due to which the exploit code was deemed useless on its own. 

As the security researchers informed The Record in interviews last week, their proof-of-concept code would work fine against apps that used the Chromium project as a foundation but forgot to allow sandbox defense. 

The WeChat client patched last week but Qingteng did not reveal that which of the two Chromium exploits revealed online last week was used in the wild in China; however, the security firm said it alerted Tencent, the creator of the WeChat app, and that Tencent had incorporated the latest Chromium security updates to patch the attack vector. 

Both vulnerabilities have been fixed by the Chromium team, but the patches are still finding their way downstream to all applications that use the browser engine. Only Microsoft Edge has patches for both exploits right now whereas the first bug has been fixed in Chrome.
Read more »
WeChat
China Debtor App Social Credit System WeChat

China Launches An App Which Works Like A Debtor Radar!













Giving apps an absolutely new dimension, China recently launched an app which works like a radar for people who are in debt.


Reportedly this application was developed on the instructions of the Chinese police. The app was created in the Chinese province of Hebei.



The application tends to display the locations of people in debt, whenever the person using the app is within 500 yards of them.



The major inspiration behind the application is the need to report the citizens who spend more than they should.



The application which goes by the name of “Map of Deadbeat Debtors” could be accessed via ‘WeChat’. (A social media app)



It's being claimed that the users are instantly alerted via a flash when they stand within 500 meters of a debtor.



The exact location of the debtor is displayed, if there's any appearance of personal information hasn't been confirmed yet.


It's an initiative which works towards citizens keeping a lookout for potential debtors, regardless of the seriousness of the debt.


  
Apparently, owing a debt is considered inappropriate in the culturally rich country of China.



The new reforms in the social credit system of the country are to be held responsible for the idea of the application.




The latest system is just the thing which the country needs and will judge the citizens on the basis of their social behavior.

Read more »
Subscribe to: Posts (Atom)