A cyber attack affecting over a billion people may be just one flaw away, and the unsettling reality is that WeChat, one of the world’s most popular messaging apps, is running on borrowed time. A new investigation by Citizen Lab at the University of Toronto has uncovered serious security vulnerabilities in WeChat’s encryption system, leaving its users vulnerable despite the app’s claims of protecting their data.
The study reveals that while WeChat encrypts messages, its servers can still read them, thanks to a lack of end-to-end encryption. More concerning is the app’s custom encryption protocol, MMTLS, which has major flaws that could expose sensitive information. From unsecured user IDs to outdated encryption methods, WeChat’s system is riddled with vulnerabilities that fall far below modern security standards.
Considering the number of users that exceeds one billion users on an app, this finding brings a concern. There are insufficient security measures on WeChat to be able to protect its users’ information effectively, thus exposing it to possible attacks.
WeChat uses a two-layer encryption system: “Business-layer encryption” first scrambles message content, then MMTLS further encrypts it. Though this arrangement offers some level of protection, major concerns still exist. For example, the internal layer does not prevent user IDs, request URIs, and other sensitive information ‘metadata’ from being leaked. Furthermore, a weak point in MMTLS is the use of constant IVs, which allows for some forms of attacks on the encrypted message.
It is like having identical locks on different safes. If one of those safes is cracked, the others are also in danger of being opened. Likewise, IV’s that are fixed increase the chances of attackers defeating the encryption.
Further, WeChat’s encryption lacks “forward secrecy,” which is crucial for long-term security. Without forward secrecy, if a hacker gains access to encryption keys, they can potentially decrypt past conversations.
Though the researchers could not fully crack WeChat’s encryption due to MMTLS, they recommend Tencent, WeChat’s parent company, adopt more secure protocols like standard TLS or a combination of TLS and QUIC.
People share sensitive information through messaging applications, and in such cases, a surety of security should be present. WeChat’s bespoke policy does not go that far; however, it presents opportunities for improvement in order to protect its users.
