{"id":20795,"date":"2023-03-07T08:54:53","date_gmt":"2023-03-07T13:54:53","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/dangers-of-desktop-messengers\/20795\/"},"modified":"2023-03-16T15:30:37","modified_gmt":"2023-03-16T11:30:37","slug":"dangers-of-desktop-messengers","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dangers-of-desktop-messengers\/20795\/","title":{"rendered":"Five reasons not to use desktop messengers"},"content":{"rendered":"

Many companies, especially small ones, don\u2019t use specialized systems like Slack or Microsoft Teams for communication among employees, and instead use ordinary messengers such as WhatsApp, Telegram, and Signal. And whereas people mainly prefer the mobile versions for personal use, when it comes to work needs, many install desktop applications without giving much thought to how secure they are.<\/p>\n

In our recent post on vulnerabilities in the desktop version of Signal<\/a>, we wrote that \u201cthe best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general)\u201d. But since it\u2019s not immediately obvious why, here we explain in some detail the flaws of desktop messengers in terms of cybersecurity.<\/p>\n

Note that we\u2019re talking about desktop versions of \u201ccivilian\u201d messaging apps (such as Telegram, WhatsApp, and Signal) \u2014 not corporate platforms like Slack and Microsoft Teams, which are specially adapted for work processes (and as such they operate a little differently and so are not covered in this post).<\/p>\n

1. App on the outside, browser on the inside<\/h2>\n

One of the important things to understand about desktop versions of messengers is that the vast majority of them are built on the Electron<\/a> framework. What this basically means is that such a program, on the inside, is a web application that opens in an embedded Chromium<\/a> browser.<\/p>\n

This is actually the main reason why Electron is so popular with developers of desktop versions of messengers: the framework makes it quick and easy to create applications that run on all operating systems. However, it also means that programs built on Electron automatically inherit the full range of its vulnerabilities.<\/p>\n

At the same time, one must understand that, due to their incredible popularity, Chrome<\/a> and Chromium are always under the spotlight. Cybercriminals regularly discover vulnerabilities in them, and promptly create exploits with detailed descriptions of how to use them. In the case of the normal, standalone Chrome browser, this isn\u2019t such a big problem: Google is very responsive to information about vulnerabilities and releases patches on a regular basis. To stay safe, you just need to install updates without delay<\/a>. But when it comes to programs based on Electron, the embedded browser gets an update only when the developers release a new version of the application.<\/p>\n

So what do we end up with? If your employees use applications built on Electron, this means they have several browsers running in their systems for which exploits appear regularly. Furthermore, neither you nor they can control the updates for these browsers. The more applications like this there are, the higher the associated risks. So it would be wise to at least limit the number of \u201ccivilian\u201d messengers used for work purposes in the company.<\/p>\n

2. Key question<\/h2>\n

One of the biggest draws of modern messengers is the use of end-to-end encryption<\/a>; that is \u2014 message decryption needs the chat participants\u2019 private keys, which never leave their devices. And as long as no one else knows the encryption keys, your correspondence is securely protected. But if an attacker does get hold of the private key, they\u2019ll be able not only to read your correspondence, but also to impersonate one of the chat participants.<\/p>\n

And it\u2019s here where the problem with desktop versions of messengers appears: they store the encryption keys on the hard drive, which means it can easily be stolen. Sure, an attacker must somehow gain access to the system, say \u2014 through malware, but this is perfectly doable<\/a> in the case of desktop operating systems. As for mobile ones, their architectural features make stealing encryption keys much harder<\/a> \u2014 especially doing so remotely.<\/p>\n

In other words, using the desktop version of a messenger automatically and significantly raises the risk that the encryption key, and hence work correspondence, will fall into the wrong hands.<\/p>\n

3. RAT in the chat<\/h2>\n

Let\u2019s assume things go smoothly, and no one (yet) has possession of the encryption key of any of your employees: this means that all work correspondence is safe and sound, right? Not quite. Cybercriminals could potentially use remote administration tools<\/a> as well as remote access Trojans<\/a> (both of which share the same acronym \u2014 RAT) to lay their hands on work correspondence. The difference between them is rather symbolic: both legitimate tools<\/em> and illegal Trojans<\/em> can be used to do lots of interesting things with your computer.<\/p>\n

RATs represent threats against which desktop messenger clients, unlike their mobile counterparts, are practically defenseless. Such programs allow even inexperienced attackers to get the content of secret correspondence. In a messenger running on a desktop, all chats are already automatically decrypted, so there\u2019s no need to steal the private keys. Anyone in remote desktop mode can read your correspondence, even if it\u2019s conducted in the most secure messenger in the world. And not only read, but also write messages in work chat posing as a company employee.<\/p>\n

Moreover, remote administration tools are entirely legitimate programs, with all the ensuing consequences. First, unlike malware, which has to be obtained from some dark corner of the internet, they can be found and downloaded online without any problems at all. Second, not every security solution warns the user if remote access tools are found on their computer.<\/p>\n

4. What\u2019s in the box?<\/h2>\n

Another reason to avoid using the desktop clients of popular messengers is the risk that they may be used as an additional uncontrolled channel to deliver malicious files to your employee\u2019s computers. Sure, you can pick up one from anywhere. But in the case of e-mail attachments and, even more so, files downloaded from the internet, most folks are aware of the potential danger. But files received in a messenger, especially one positioned as secure, are viewed differently: \u201cwhat can go wrong here?\u201d This is especially the case if a file came from a colleague: \u201cthere can\u2019t possibly be anything to worry about\u201d is the common view.<\/p>\n

The vulnerabilities found in the desktop version of Signal related to how the messenger handles files (described in our recent post<\/a>) serve as an example. Exploitation of these vulnerabilities allows an attacker to quietly distribute infected documents to chat participants pretending to be one of those participants.<\/p>\n

This is just one hypothetical scenario suggesting advanced technical capabilities of the attacker. Others cannot be ruled out either: from mass mailings based on stolen databases to targeted attacks using social engineering.<\/p>\n

Again, mobile operating systems are better protected against malware, so this problem is less acute for users of mobile messenger clients. Their desktop counterparts carry a far greater risk of attracting some kind of malware to said desktop computer.<\/p>\n

5. We should have shotguns for this kind of thing<\/h2>\n

Traditional threats shouldn\u2019t be forgotten about. The specialized security solutions on the corporate mail gateway level<\/a> enforce protection against malicious attachments and phishing. But in the case of desktop messenger clients, things are a little more complicated. There\u2019s no solution that can break into the end-to-end encrypted message exchange using the servers of the messenger itself; dangerous objects can be caught only at the exit, which reduces the level of protection.<\/p>\n

Once again, this is far less of a problem on mobile devices. They\u2019re harder to infect with malware, and fewer important files are stored there. Plus, lateral movement in the corporate network following a successful attack on a mobile device is unlikely to have the same devastating consequences.<\/p>\n

A desktop messenger on a work computer provides a communication channel that\u2019s not only uncontrollable by the network administrator, but fully secured against their actions; and from this state of affairs something very nasty could emerge.<\/p>\n

Prevention is better than cure and blame<\/h2>\n

We end basically where we began: as mentioned in the introduction, the best tip is not to use desktop versions of messengers<\/strong>. If for some reason that\u2019s not an option, then at least take basic precautions:<\/p>\n