As we returned from Supercon 2022, we noticed many airlines offer free in-flight messaging. While the messages are handy for complaining about the seat size, it isn’t quite as exciting as access to the internet. In the air, we wondered how hard it would be to tunnel an internet connection over messaging. Funny enough, [Aleix Rodríguez Alameda] has a project that does exactly that by tunneling traffic over Whatsapp.
In [Aleix]’s case, cell carriers are pretty stingy with internet data when traveling in South America but often give unlimited WhatsApp data. So, ahead of time, two accounts are set up. A server is on one account and acts as a proxy to the broader internet and listens to messages to the server account. Then when in a restricted access setting, the client connects with a WebSocket and sends messages. The real trick for turning the WhatsApp messages into an internet connection the client can use is exposing a port from a local nodeJS web server. It connects to the WhatsApp API through a WebSocket and then acts as a proxy. Then, you set up traffic to be redirected through that port with curl or Firefox.
Packets are split to prevent you from sending too many messages, as in their testing, [Aleix]’s accounts were banned quickly. You shouldn’t expect massively fast speeds, as 300kbps was pretty typical during testing, which according to Wikipedia, is about what dial-up got with V.44 compression.
Which is around the same speed as TCP/IP tunneled over NRF23L01 radios.
Google Photos is handy. You take pictures and videos on your cell phone, and they automatically upload to the cloud. If you’re anything like me, however, every snap comes with a self-reminder that “the cloud” is a fancy name for someone else’s server. What could possibly go wrong? How about some of your videos randomly included in another user’s downloads?
Confirmed by Google themselves, this bug hit those using Google Takeout, the service that allows you to download all your data from a Google application, as a single archive. Google Photos archives downloaded between November 21 and November 25 may contain videos from other users, according to a notice sent to the users who downloaded said archives. It’s notable that those notices haven’t been sent to users who’s videos were exposed.
Continue reading “This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones”
There is another WhatsApp flaw, but instead of malicious GIFs, this time it’s malicious mp4 files. Facebook announced the vulnerability late last week. An update has been released, so first go make sure WhatsApp is updated. Facebook’s advisory is a bit light on the details, simply saying that a “stack-based buffer overflow” was possible as a result of “parsing the elementary stream metadata of an mp4 file”.
Shortly after the bug was announced, a GitHub repository popped up, with a claimed proof-of-concept mp4 file for CVE-2019-11931. (Thanks to [justtransit] on Reddit for the link.) I can’t easily test the PoC file, but we can take a look at it to see what the vulnerability is. What tools do we need to take a look? A hex editor is a good start. I’m using
GHex, simply because it was available and easily installed on Fedora. Continue reading “This Week In Security: More WhatsApp, Nextcry, Hover To Crash, And Android Permissions Bypass”