WhatsApp and Telegram accounts can be hacked by sending malware-laden images
Check Point Software Technologies, an Israeli computer security firm on Wednesday, revealed a vulnerability in messaging services, WhatsApp and Telegram that allows the hackers to break into accounts using the very encryption intended to protect messages.
The flaw exposed those who used the web browser versions of WhatsApp and Telegram, both of which are fully synced with their mobile versions. The vulnerability allowed hackers to hijack hundreds of millions of WhatsApp and Telegram accounts simply by sending a malware-laden image. The hack targeted the method in which both Telegram and WhatsApp process images and multimedia files.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” said Check Point Head of Product Vulnerability Oded Vanunu in a release.
“By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
If opened, malicious software attached to the file can break into the account. “This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” according to a statement by Check Point’s Eran Vaknin, Roman Zaikin and Dikla Barda. “This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”
WhatsApp And Telegram Hacked With Malicious Image
The security researchers managed to create a malicious image that would appear normal in preview, but would actually direct users to a malware-ridden HTML page. Once parsed by the WhatsApp client, the code would execute the malicious HTML in the user’s browser. “Once this HTML inject was uploaded and was encrypted and delivered to the other side [the WhatsApp server], the other side was rendering this HTML, innocent-looking image and executed the code that was stealing the local storage of the user,” Vanunu told Forbes.
This is true for WhatsApp users while Telegram users need to play the video message and then right-click to open it in a new tab. The reason this flaw works is because WhatsApp and Telegram support HTML, Text and video format files to be sent to each other. However, Telegram is limited in terms of the number of images and video documents that are saved in the system storage.
“It’s a big vulnerability in a big service,” Vanunu added. For a full technical explanation of the issues, see Check Point’s blog.
Patching the security flaw
WhatsApp and Telegram use end-to-end encryption designed to make certain only senders and recipients can see what is in messages. However, the disadvantage of this privacy protection is that WhatsApp and Telegram couldn’t have prevented such malicious files from being sent because they don’t have access to messages exchanged on their platforms – only users have access.
“Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were, therefore, unable to prevent malicious content from being sent,” the Check Point team says.
Check Point alerted WhatsApp and Telegram regarding the issue on March 7. Both companies have verified and acknowledged the security issue and developed a fix for web clients around the world immediately.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.
“We build WhatsApp to keep people and their information secure,” a WhatsApp spokeswoman said in a statement. “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web.”
Facebook owned WhatsApp has more than 1 billion users and is one of the most common messaging services. On the other hand, Telegram delivers over 15 billion messages daily to at least 100 million monthly active users.