Flaw in web versions of WhatsApp, Telegram put accounts at risk


Security researchers say a new vulnerability could have exposed WhatsApp and Telegram user accounts in a matter of seconds.

If exploited, the critical issue allows attackers to take over user accounts on any browser, view and manipulate chat sessions, and access content including images, videos, and audio, and it allows hackers to gain access to contact lists.

As such, only users of the browser-based versions could have been affected.

The vulnerability occurs through the transfer of image files. If an attacker sends an intended victim malicious code hidden within a supposedly-innocent image file and they click on it, the trap springs — and the attacker is immediately able to gain full access to WhatsApp or Telegram local storage data, which includes user account information.

Check Point says that the end-to-end encryption used to protect the content of messages sent via WhatsApp and Telegram, which makes both services popular, is also the weakness that allowed the severe bug to escape notice in this case.

“Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were, therefore, unable to prevent malicious content from being sent,” the team says.

“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” says Oded Vanunu, head of product vulnerability research at Check Point. “By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”

Speaking to ZDNet, Kenneth White, security researcher and co-director of the Open Crypto Audit Project (OCAP), noted that just because an app considers itself to be secure, the moment you access it from a regular browser, some of those protections may be stripped away.

Check Point researchers disclosed the security flaw to the WhatsApp and Telegram security teams on March 7, and the security flaw was rapidly patched in the web clients.

“The reason you don’t see any updates for the apps is because they can fix the code for the website automatically and they can also intercept anyone by updating the code automatically and no-one would ever know,” White noted. “In the case of Signal [another secure messaging application], the Chrome desktop app really is an app, just written in JavaScript. You’d have to manually update it for fixes.

VIDEO: WhatsApp now offers free video calls for one billion users


More security news

Leave a Reply

Your email address will not be published. Required fields are marked *