A recent study conducted by Citizen Lab uncovered a vulnerability in the networks of the popular Chinese messaging app WeChat, which boasts over a billion users every month. The study revealed that WeChat utilizes a Proprietary Protocol MMTLS, which was found to be less secure compared to the standard TLS 1.3 protocol it was derived from.
The analysis highlighted that WeChat employs a non-standard encryption method called MMTLS, which has multiple cryptographic weaknesses. One critical flaw is the use of predictable initialization vectors (IV), raising the risk of key recovery and exposure of sensitive data. Moreover, WeChat lacks perfect forward secrecy, making it possible to decrypt previous data if encryption keys are compromised.
Notably, previous versions of WeChat utilized an even less secure encryption protocol, which is still partly in use in the current versions of the app. This revelation has raised concerns regarding the safety of user data, despite the absence of any known attacks that have successfully breached the app’s encryption.
It is common for Chinese applications like WeChat to develop their encryption systems, yet these in-house systems often fall short of the security standards set by internationally recognized protocols like TLS.
In response to the findings, researchers have released tools for analyzing WeChat traffic, aiming to facilitate further research into the app’s security. This initiative is intended to prompt developers and cybersecurity experts to enhance encryption measures and strengthen the protection of user data.