Security researchers say a new vulnerability could have exposed WhatsApp and Telegram user accounts in a matter of seconds.
If exploited, the critical issue allows attackers to take over user accounts on any browser, view and manipulate chat sessions, and access content including images, videos, and audio, and it allows hackers to gain access to contact lists.
As such, only users of the browser-based versions could have been affected.
The vulnerability occurs through the transfer of image files. If an attacker sends an intended victim malicious code hidden within a supposedly-innocent image file and they click on it, the trap springs — and the attacker is immediately able to gain full access to WhatsApp or Telegram local storage data, which includes user account information.
Check Point says that the end-to-end encryption used to protect the content of messages sent via WhatsApp and Telegram, which makes both services popular, is also the weakness that allowed the severe bug to escape notice in this case.
“Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were, therefore, unable to prevent malicious content from being sent,” the team says.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” says Oded Vanunu, head of product vulnerability research at Check Point. “By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
Speaking to ZDNet, Kenneth White, security researcher and co-director of the Open Crypto Audit Project (OCAP), noted that just because an app considers itself to be secure, the moment you access it from a regular browser, some of those protections may be stripped away.
Check Point researchers disclosed the security flaw to the WhatsApp and Telegram security teams on March 7, and the security flaw was rapidly patched in the web clients.
VIDEO: WhatsApp now offers free video calls for one billion users