A vulnerability on the WhatsApp and Telegram’s online messaging platforms allows complete account takeover—allowing attackers to access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more.
According to a Check Point analysis, the vulnerability allows an attacker to send the victim malicious code, hidden within an innocent-looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim’s WhatsApp or Telegram storage data, thus giving full access to the victim’s account. The attacker can then send the malicious file to all the victim’s contacts, potentially enabling a widespread attack.
WhatsApp and Telegram use end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between. Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent.
The ramifications could be widespread: WhatsApp has over 1 billion users worldwide, making it the most prevalent instant messaging service available today. Telegram,meanwhile, has over 100 million monthly active users, delivering over 15 billion messages daily.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” says Oded Vanunu, head of product vulnerability research at Check Point. “By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
Check Point disclosed this information to the WhatsApp and Telegram security teams on March 8, after which both developed fixes for worldwide web clients; content will now be validated before the encryption, allowing malicious files to be blocked. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Vanunu.