This week’s news of a security flaw in the Android versions of WhatsApp and Telegram, first revealed by Symantec, marked the latest cybersecurity warning for users of high-profile technologies. In a blog post published Monday (July 15), Symantec warned of the security vulnerability that could lead to what it called a “Media File Jacking,” in which an attacker is able to manipulate a file when sent from one user to another.
An Android user already infected with malware is at risk of having those files — such as a photo — manipulated from when it is sent by another user, and when it is automatically saved in the phone’s external storage or image gallery. Along the file validation and storage process, hackers could change the contents of a file without an end-user noticing.
“While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” the blog post noted.
Analysts warned that this security flaw could have particularly damaging effects when used to alter invoices and manipulate payment instructions.
“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Symantec said in its blog post.
According to Business Insider reports Monday, WhatsApp pushed back against Symantec’s suggestion that it adjust its file validation and storage procedures.
“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” a spokesperson told the publication. “WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”
What This Means For Freelancers
The publication also noted that WhatsApp has not found evidence of this vulnerability ever being exploited. However, revelations of the security flaw shed light on the evolving face of invoice fraud.
The business email compromise (BEC) already takes advantage of email security vulnerabilities or deploys a social engineering strategy to convince accounts payable professions or other executives to pay a fake invoice into a fraudster’s account. As more freelancers and small business owners turn to the same platforms they use as consumers — like WhatsApp and other messaging portals — there may be new opportunities for criminals to commit invoice fraud in new ways.
Last December, Invoice2Go announced an integration with WhatsApp, Facebook Messenger and other mobile messaging platforms, noting that “having the ability to send your customer an invoice in the context of an existing conversation will not only streamline your workday, but also leave a crystal clear communication trail and make way for more immediate payments.”
QuickBooks similarly introduced support to send invoices via WhatsApp, announcing in a May blog post that “sending invoices over WhatsApp is a great way to reach your customers. And it can help you get paid faster by meeting customers where they’re at.”
In both instances, these third party small business platforms are able to send a link to invoices displayed on their own portals — the integrations don’t send the actual invoice document via WhatsApp or other messaging solutions, meaning their support for WhatsApp is not affected by the security vulnerability.
But both integrations emphasize the role that consumer-facing platforms like WhatsApp play in supporting seamless invoicing and faster payments.
WhatsApp itself took notice of this opportunity via the launch of WhatsApp for Business and, last year, the introduction of the WhatsApp Business API which, among other features, includes the ability for small business owners to send invoices and other payment documents as an attachment via WhatsApp, according to ChatBotsLife reports last September (it’s unclear, however, whether the security vulnerability extends to documents sent via that application programming interface (API) integration).
Professionals that choose to submit a proprietary invoice or other professional document via WhatsApp from directly within the app may want to take notice of the potential security implications.
And as more freelancers and small business owners take advantage of third party integrations and the ability for consumer-facing portals to address their business-facing needs, professionals will have to be diligent about ensuring the security of data and documents stored and shared via these solutions.