Flaw in web versions of WhatsApp, Telegram put accounts at risk

Researchers say the vulnerability can expose data, contacts, and more.
Written by Charlie Osborne, Contributing Writer
File Photo

Security researchers say a new vulnerability could have exposed WhatsApp and Telegram user accounts in a matter of seconds.

According to researchers from Check Point, the security flaw permits attackers to hijack and gain complete control over the accounts of those using the popular secure messaging services.

If exploited, the critical issue allows attackers to take over user accounts on any browser, view and manipulate chat sessions, and access content including images, videos, and audio, and it allows hackers to gain access to contact lists.

On Wednesday, Check Point said in a blog post that the security flaw is present in the browser versions of the applications, WhatsApp Web and Telegram Web, rather than the mobile applications.

As such, only users of the browser-based versions could have been affected.

The vulnerability occurs through the transfer of image files. If an attacker sends an intended victim malicious code hidden within a supposedly-innocent image file and they click on it, the trap springs -- and the attacker is immediately able to gain full access to WhatsApp or Telegram local storage data, which includes user account information.

To make matters worse, the attacker can then send the image file to everyone on the victim's contact list in a widespread attack, which could, in turn, mean that one hijacked account could allow an attacker to leapfrog to other accounts -- on condition the account holders are also using the browser-based service.

Check Point says that the end-to-end encryption used to protect the content of messages sent via WhatsApp and Telegram, which makes both services popular, is also the weakness that allowed the severe bug to escape notice in this case.

"Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were, therefore, unable to prevent malicious content from being sent," the team says.

To prevent this issue happening again, both services will now validate content before encryption takes place, which should hopefully detect and remove malicious code before messages are sent.

"This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over," says Oded Vanunu, head of product vulnerability research at Check Point. "By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user."

WhatsApp caters for over one billion users worldwide, while Telegram delivers over 15 messages daily to at least 100 million monthly active users. However, it is crucial to keep in mind that the security vulnerability only affects the browser-based versions of the applications, and not the mobile alternatives -- which are in a completely different space when it comes to cybersecurity, vulnerabilities, and attack vectors.

Speaking to ZDNet, Kenneth White, security researcher and co-director of the Open Crypto Audit Project (OCAP), noted that just because an app considers itself to be secure, the moment you access it from a regular browser, some of those protections may be stripped away.

The security expert believes this vulnerability disclosure can be considered a "perfect case" for "why browser-based secure messaging apps are a train wreck."

Check Point researchers disclosed the security flaw to the WhatsApp and Telegram security teams on March 7, and the security flaw was rapidly patched in the web clients.

As such, there is no notification of an update sent directly to users; instead, users who want to make sure they are definitely using the latest versions should simply restart their browser.

"The reason you don't see any updates for the apps is because they can fix the code for the website automatically and they can also intercept anyone by updating the code automatically and no-one would ever know," White noted. "In the case of Signal [another secure messaging application], the Chrome desktop app really is an app, just written in JavaScript. You'd have to manually update it for fixes.

"But then again, because you have to manually update it, you'd also never be exposed to targeted attacker injected bogus app code," said White.

VIDEO: WhatsApp now offers free video calls for one billion users

10 things you didn't know about the Dark Web

Editorial standards