According to Vitor Ventura, a researcher from Cisco's Talos Intelligence Group, the concept behind these apps is that the service provider should not be able to read content at any point as messages are guaranteed to be encrypted from end to end.
Two protocols were commonly used: the proprietary MT Protocol developed by Telegram and open source Signal Protocol developed by Open Whisper Systems. Most applications used the second protocol, or a variation of it.
Ventura said other applications used the Signal Protocol on request from the user, but not as default. Two examples are Facebook Messenger (which uses a feature called Secret Conversations) and Google Allo (which uses something called Incognito chats).
While the protocols were geared towards keeping communications private in transit, they offered no claims about security while data was being processed or when a message reached an user's device, Ventura pointed out.
He said a recent vulnerability found in WhatsApp allowed whoever compromised a WhatsApp server to add users to a conversation, which meant they could read any messages sent to that interchange, defeating the whole purpose of the end-to-end encryption.
"Given that all of these applications claim to have millions of active users, it is clear that not all of these users will be cyber security-educated," Ventura wrote.
"As such, most of them won't have a full understanding of the risks and limitations posed by certain configurations on these applications. Keeping a person's privacy safe is more than just technology, it's also about providing the users with the correct information in a manner that they are able to understand the risks of their decisions, even without being security experts."
Ventura said it was possible for desktop session hijacking to take place on Telegram, without any indication given to users that an unknown party was listening and receiving all communications on a supposedly secure channel.
"Once the attacker starts the Telegram desktop application using the stolen session information, a new session is established without giving any warning to the user," he said.
"The user has to check if there is an additional session in use. This is carried out by navigating through the settings, which isn't obvious to the average user. When the message does show up on Telegram, it isn't obvious to the average user, either."
Moving on to Signal, Ventura said the app handled session hijacking as a race condition – where two processes compete for the same hardware resources. Due to this, if desktop session hijacking took place on Signal, a user would see error messages. However, this would not be seen on a mobile device.
But it was generally too late; by the time the victim received these error messages, the attacker would have gained access to contacts and previous undeleted chats.
If the attacker wanted to avoid the error messages being generated, then he/she could delete the session information. But then when a user started the application, it would pop up a request to relink the app.
"For a security expert, this would be a red flag. But for the average user, they may think it's just an error in the application," Ventura said. "When the user creates the second session, it will only be visible from the mobile device, and by default, the two sessions will have the same name."
This meant the attacker would have access to all messages and also be able to impersonate the victim. Messages sent by the attacker could be deleted before they reached the victim;s devices or else the "disappearing messages" option could be activated, making it harder for the presence of an attacker to be noticed.
Ventura said WhatsApp was the only app among these three to send out a notification in case an attacker attempted to open a second session on the desktop. The pop-up would inform the user that the app had been opened on another computer or browser and ask the user to "click here" to use the app only in the original window.
This could be bypassed using the method in the graphic below:
There was another avenue of attack in Telegram known as mobile session shadowing, made possible by the fact that the app allowed the creation of shadow sessions on a single device based on the same phone number, and handled them in different applications.
Yet another avenue of attack existed, Ventura said, this being on Android systems. Here, when a phone number was registered through Telegram, a confirmation code was sent via SMS. If a user tried to register the same phone number again, Telegram would send a confirmation code as a Telegram message, which would be resent as an SMS after a certain time interval.
This, if a malicious application had access to the "read SMS" and "kill background process" permissions, it could easily pass Google Play store verification. And then the shadow session could be set up as under:
Ventura said the developers of the Signal Protocol had predicted this kind of session hijacking.
"The session management protocol (Sesame Protocol) security considerations contains a sub-chapter dedicated to the device compromise, which states, 'Security is catastrophically compromised if an attacker learns a device's secret values, such as the identity private key and session state'," he wrote
"This attack vector was even predicted by the protocol developers, as such individual users and corporations should be aware that these applications are not risk-free. As such, it becomes more important that companies that use these apps to transmit private and sensitive information employ endpoint technology that better protects these assets."
Screenshots: Courtesy Talos Intelligence Group