CheckPoint, an Israeli security firm, unveiled this Wednesday a security flaw in encrypted messages that could affect the web version of WhatsApp and Telegram.
The platforms were alerted about the vulnerability on March 8th and have already fixed the issue in both messengers by changing the file upload validation protocols to protect against the attack. The flaw took advantage of a webapps vulnerability on the browser commands that could steal access to the victim’s account or contact list when playing videos or opening photos.
“By simply sending an innocent-looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user,” said Oded Vanunu, head of product vulnerability research at Check Point.
However, it was not mentioned how many accounts could be effectively compromised, but for sure this flaw represented a danger to “hundreds of millions” of users accessing the platforms from a web browser version as a hacker could effectively camouflage a malware in the image, which would have been activated whenever the recipient clicks to open it.
WhatsApp and Telegram use a coding that ensures that only the sender and recipient of the messages can see its content, in simple words called encryption that differ from regular e-mails for example, and that could be the reason why the two Apps could not detect the malware content.
WhatsApp acknowledged the problem and recommended that users restart their browsers to ensure they are using the most current version.
“We’ve built WhatsApp to keep people and their information safe. When Check Point reported the issue, we resolved the issue in one day and released an update to the WhatsApp Web. To ensure you’re using the latest version, please restart your browser.”
Whatsapp vulnerability demonstration
However Telegram, in a note, declined the problem by stating that the application does not have the same vulnerability as the competitor:
“The part about Telegram in this statement is not true. Sadly, it is now part of a barrage of articles written by misleading journalists all over the globe. So if you see a headline like “How one photo could have hacked your WhatsApp and Telegram accounts,” feel free to tell the author that an irresponsible security company has duped them.”
Telegram vulnerability demonstration
Early this month, Confide, a secure chat app popular with White House staffers, was also reported by IOActive to have several critical security vulnerabilities. A report saying that the Windows and Android versions of Confide had numerous flaws that could allow an attacker to impersonate users, decrypt messages, edit messages before they were received and learn the contact details of a targeted user.