Messaging apps WhatsApp and Telegram had a severe security flaw that allowed hackers to hijack users' account with just one image, security researchers reveal.
Check Point Security researchers just disclosed a serious vulnerability that allowed hackers to hijack hundreds of millions of WhatsApp and Telegram accounts simply by sending a malware-laden image. The hack targeted the method in which both Telegram and WhatsApp process images and multimedia files.
Both WhatsApp and Telegram have acknowledged and addressed the flaw so it couldn't be exploited anymore, but here's what happened.
WhatsApp And Telegram Hacked With Malicious Image
The security researchers managed to create a malicious image that would seem normal in preview, but would in fact direct users to a malware-ridden HTML page. Once users loaded the malicious page in question, the page would grab all locally stored data and hackers could seize the victim's account altogether.
The flaw exposed those who used the browser versions of the two services, meaning WhatsApp Web and Telegram Web, both of which are fully synced with their mobile versions.
"This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos, and other shared files, contact lists, and more," warn Check Point researchers Roman Zaikin, Eran Vaknin and Dikla Barda. "This means that attackers could potentially download your photos and/or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts."
Simply put, attackers could completely take over a user's account simply by sending an image. Check Point researchers further highlight that the image could be modified to look more attractive, thus increasing the chances that users would open it.
Since the attack granted hackers access to the app's local storage if successful, the hackers could proceed to send the malicious image to all contacts in the victim's contact list to do even more damage and expand the reach of the attack across WhatsApp's and Telegram's networks.
End-To-End Encryption Downside
Both WhatsApp and Telegram use end-to-end encryption to ensure that users' messages are safe from prying eyes, but there's a double-edged sword here. While end-to-end encryption ensures that conversations stay private, it also means that messages are sent through the platforms before being validated against malware. In other words, WhatsApp and Telegram couldn't have prevented such malicious files from being sent because they don't have access to messages exchanged on their platforms - only users have access.
WhatsApp And Telegram Are Safe Now
Check Point reported the security flaw to both WhatsApp and Telegram on March 7, and both companies have since verified and identified the issue. They have updated their systems to patch the vulnerability and add protection against similar attacks.
More specifically, WhatsApp and Telegram will validate content before the encryption from now on, so they can block malicious files in transit before these reach users. This minimizes the risk of spreading malware.
On the bright side, the flaw only affected the browser-based versions of the two messaging apps. The extent of the problem would surely have been far greater if it affected the mobile apps as well.