WeChat has become everyone’s everything-tool for busy life in China: We use it to pay for coffee, settle rent, share photos with friends, broker deals with clients, and discuss business with colleagues at the office. It’s also a tool that makes file-sharing easy, and many people use it to send everything from draft contracts to slide decks to sensitive financial data with other staff at their company.
Apart from the fact that any data transferred through WeChat is unencrypted and could be accessed by someone breaking your phone’s connection with Tencent’s servers, the biggest vulnerability is a feature called “WeChat for Web”. WeChat for Web allows people to log into their WeChat account through any browser on any computer, simply by scanning a temporary QR code on the screen. Very few people will scan a QR on someone else’s computer by accident — but many do it intentionally and routinely, because logging into WeChat through a web browser is an easy way to quickly copy files onto someone’s computer without permanently connecting with them on Wechat.
A typical situation like this is the print shop. Because many Chinese don’t use email much and often don’t even have it set up on their phone, the common solution is to log into the WeChat desktop app on the shop owner’s computer, and using the “File Transfer” feature to send files between the two devices. After the transfer has completed, they close the browser window — done. Done?
This is where things get dangerous: While closing the desktop app or the window of a regular browser does indeed reset the session and requires a fresh login the next time someone on the same computer tries to access WeChat for Web, it is trivial to load WeChat in an application that looks like the official app or like a normal web browser — but doesn’t actually end the session when the window is closed. In other words, the customer at the copy chop may close the browser window and leave, but a malicious shop owner will now have full access to all ongoing conversations and file transfers of his customer. Even clicking the “Logout” button in the drop-down menu of the web app doesn’t guarantee that the browser does indeed log out of the account, because anything a web browser shows or does can be easily manipulated by someone controlling the machine the software runs on, without the manipulation being noticeable to the average user. Spreadsheets, slide decks, financials and other sensitive corporate information sent via WeChat can then be siphoned off the service. Though past chat content will not appear in the web chat, any new data will be accessible to the attacker. Stolen information may then be used to blackmail the company, threaten the employee, be shared in public, or sold to competitors.
The lesson here is three-fold:
The solution to these challenges can’t simply be more technology or the attempt of absolute oversight, because no corporate IT policy can be enforced around the clock and on every single device that staff will use. What is needed is regular training that — first — raises awareness among staff for the many ways that casual technology use can damage their employer, and — second — sparks actual habit change that will reduce the attack surface for a corporation. Only then will the use of Wechat and a quick run to the copy shop cease to be a serious threat to your business.