Wechat account is vulnerable to weak authentication mechanism. During my security research I found this flaw and it can very easily be exploited using simple social engg technique. The Wechat generates a simple Authentication token or OTP and send it to user mobile phone. If anyhow using social engg this auth token is obtained then any user can log into or delete victim's account without using any user-id and password of victim. Attacker can also reset the password of victim using same technique. Flaw exist in weak single layer authentication. Even banks implement this authentication token mechanism but they do have multiple layer of security. It is better to reset user password by sending mail to user's primary email or secondary email address which is often secure as compared to using a single token on mobile phone.
All Android apps developers and security researchers should mark this as a issue and try to implement more stronger authentication mechainsm.
I tried to contact with Wechat team but didn't got any response from there.
Complete report with PoC is as follows.
Step1: Attacker is on his phone ie; android and clicks on “Can’t access your account” option
Step7: After entering auth code attacker is directly logged into the victim's account without any user id and password
Thanks
All Android apps developers and security researchers should mark this as a issue and try to implement more stronger authentication mechainsm.
I tried to contact with Wechat team but didn't got any response from there.
Complete report with PoC is as follows.
Step1: Attacker is on his phone ie; android and clicks on “Can’t access your account” option
Step2: Attacker
is presented with several option to gain his account back via Email or sms
Step3: Attacker
selects the option Log in via SMS and is presented with option to enter phone
number
Step4: Attacker
enters the phone number of his friend or victim and click Next
Now an attacker having access to victim's phone can easily access that verification code. Access to victim's phone can also be obtained very easilyby just asking the victim who might be a friend to attacker to make a call and thereby gaining access to only verificaton code send by wechat server OR attacker can use any othr social engg technique to trick the victim and obtain the code.
Step5: victim is already logged into his windows phone in his wechat account and still gets the verification code on his mobile.
Step6: Attacker enters that authentication code into his android phone
Step8: After gaining access to victim's account attacker can change the password of victim's account. when selecting Logout option attacker is presented with window to reset the password.
Account HACKED !!!!!!!!!!!!
Victim is automatically logged out of his account and presented with invalid account error message when tries to login with his userid-password combination
Using the same verification code it is possible to delete any existing user's account by just entering his phone number.
This is how a wechat account of any user can be compromised , Social engg technique do work as i have tried this on some of people know to me and it works perfectly.
Thanks
