TH16124
Detected presence of software components that can access instant messaging application databases.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Installed software stores sensitive user information in application-specific databases. For instant messaging clients, this sensitive information includes the complete message correspondence, list of contacts, saved passwords, exchanged files and digital signatures. These databases are typically not protected from unauthorized access for user convenience. Any encryption they might employ is easily bypassed, as the encryption keys are commonly stored alongside the data. For this reason, attackers often aim to gain access to instant messaging application databases and exfiltrate collected data to a remote server. While the presence of code that accesses instant messaging databases does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can interact with messaging client data. One example of acceptable use for such functions is extending messaging client application functionality through natively developed plugins.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1005 - Data from Local System.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1005 - Data from Local System (External resource - Mitre ATT&CK documentation)
- Data exfiltration (External resource - Wikipedia)