Home Cybersecurity High-Impact Bug That Allowed Account Hijacking Removed from WhatsApp and Telegram

High-Impact Bug That Allowed Account Hijacking Removed from WhatsApp and Telegram

Posted: March 16, 2017

whatsapp telegram hijack bugsWhatsApp and Telegram just fixed a major bug in the security of their web versions that allowed attackers to take full control of user accounts and access personal and group conversations, photos, videos, contacts lists, and basically, all other information the user has shared and stored on the two messenger applications.

Researchers from Check Point Technologies reported the issue to the security teams of WhatsApp and Telegram on March 7 this year, and the two companies verified and acknowledged the flaw. A patch was released earlier this week, so all users who have restarted their browsers should now be protected as the update gets automatically installed.

The problem was in the end-to-end encryption method that the two apps employ to secure the safety of their users. This encryption method provides that the exchanged messages can only be read by the people who are communicating and does not include any instance in between that checks for any irregularities. That way of securing the information flow has a severe vulnerability which if exploited, would allow hackers to take full control of the user accounts on any browser and expose to misuse all personal data stored in there. The online versions of both platforms mirror all messages the user sends and receives, and these messages are then also synchronized with the mobile versions installed on the user's other devices. However, the messages are sent without being validated first, so there is no way for WhatsApp and Telegram to detect and prevent any malicious content.

The researchers from Check Point Technologies describe the way this vulnerability could be exploited by cyber criminals. A potential attack would start with the hackers sending to a user a harmless looking file that contains a malicious code in it. The file could trick the user into clicking on it by displaying some attractive content.

In the WhatsApp platform, the engineers managed to bypass the restrictions for file uploading set by the app's security mechanism and send a malicious HTML file masked as a legit cat image file. The potential victim only needs to click on the file to open it, and the malicious code that hides behind the image immediately gives the hackers access to the user's local storage, and respectively, to all the data contained in it. In Telegram, the hack works pretty much the same, yet after the attackers bypass the upload restrictions and send the file the user needs to open a new tab to allow access to the local storage. From there on, the hackers can send the malicious file to the entire contacts list and thus spread the malware further along the messenger's network. After WhatsApp and Telegram fixed this vulnerability, the content of all sent messages is validated before the encryption, and the two apps are now able to block all malicious files.

Given the broad usage of WhatsApp and Telegram, the bug could have had a massive impact, affecting millions of users worldwide. Although the two platforms should be safe now in regards to the encryption process, users should still be careful in their communication. A good tip is to periodically clean logged-in devices so that you have control over the access to your account. The next important issue is never to open suspicious files sent to you by unknown users.

Loading...