Malicious uploads allowed hijacking of WhatsApp and Telegram accounts

Malicious uploads allowed hijacking of WhatsApp and Telegram accounts

The vulnerability would have "allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more", security experts at Check Point wrote.

Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world's most popular messaging services.

The vulnerability made it possible for an attacker to booby-trap a digital image with malicious code that could spring into action after the picture is clicked on for viewing, according to Check Point.

This means attackers could have gained access to the victims' message histories and shared files and could even have sent messages on their behalf, potentially compromising their contacts in a worm-like attack. After fixing this vulnerability, content will now validated before the encryption, so that malicious files can be blocked.

For WhatsApp, a user had to purposefully open the sent image, making the exploit impractical for botnets or mass surveillance.

Since any HTML code executed in the context of those web apps would inherit their permissions inside the browser, attackers could have used use this technique to steal the local storage contents of those apps and upload them to a remote server. The company, however, responded quickly to the bug report and fixed it in less than 24 hours of being reported.

"When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web", said Anne Yeh, a spokeswoman for that Facebook Inc unit.

Due to both apps' end-to-end encryption it was impossible, the firm claims, for them to prevent the malicious file from being sent.

As such, there is no notification of an update sent directly to users; instead, users who want to make sure they are definitely using the latest versions should simply restart their browser. When the user thinks they're opening an image file (in this case, a perennially hilarious fat cat meme), the poor sheep is actually downloading malware that gives the hacker keys to their account. Telegram confirmed that it had fixed the problem earlier this week. "So an attacker could take over an account if the target simply opened a amusing cat picture and did nothing else".

WhatsApp caters for over one billion users worldwide, while Telegram delivers over 15 messages daily to at least 100 million monthly active users.

Both the messaging apps claim that there is no record of abuse of this vulnerability.



Other news