2024-11-11 –, WestIn - Partenkirchen
KakaoTalk is the WhatsApp of South Korea with more than 100 million downloads from the Google Playstore. In this talk we show how multiple vulnerabilities in a chat app can lead to the disclosure of users' messages. We do this by presenting an account takeover "one-click" exploit in KakaoTalk's regular chat room without breaking cryptography or escaping the app's sandbox. We also release our tooling so that fellow security researchers can dig into KakaoTalk's broad attack surface to find more bugs.
With more than 100 million downloads from the Google Playstore, KakaoTalk is South Korea's most popular chat app. Similar to other Asian apps such as WeChat, KakaoTalk is an "all-in" app including everything into one app (payment, ride-hailing services, shopping, e-mail, etc.). End-to-end encrypted (E2EE) messaging is not enabled per default in KakaoTalk. Regular chatrooms, where Kakao Corp. can access messages in transit, is the preferred way for many users. KakaoTalk does have an opt-in E2EE feature called "Secure Chat" but it doesn't support features such as group messaging or voice calling.
In this talk different vulnerabilities affecting KakaoTalk will be described. I will cover different topics ranging from Android AppSec, Web Security to Applied Cryptography.
Android AppSec, Web Security, Applied Cryptography
Hey. I'm Dawin, yet another independent security researcher based in Munich. I'm interested in Android security, rock climbing and Drum and Bass music.