Web versions

Flaw in web versions of WhatsApp, Telegram puts accounts at risk

Picture file

Security researchers say a new vulnerability could have exposed WhatsApp and Telegram user accounts in seconds.

According to researchers from Checkpointthe security flaw allows attackers to hijack and take full control of the accounts of those using popular secure messaging services.

If exploited, the critical issue allows attackers to take control of user accounts on any browser, view and manipulate chat sessions, and access content, including images, videos and audio, and it allows hackers to access contact lists.

Wednesday, Check Point said in a blog post that the security flaw is present in the browser versions of the applications, WhatsappWeb and Web Telegramrather than mobile apps.

Thus, only users of the browser-based versions could have been affected.

The vulnerability occurs via image file transfer. If an attacker sends a targeted victim malicious code hidden in a supposedly innocent image file and clicks on it, the trap is triggered – and the attacker is immediately able to gain full access to the local storage data of WhatsApp or Telegram, which include user account information.

To make matters worse, the attacker can then send the image file to everyone on the victim’s contact list in a widespread attack, which could, in turn, mean that a hacked account could allow an attacker to jump to other accounts — provided the account holders are also using the browser-based service.

Check Point says the end-to-end encryption used to protect the content of messages sent via WhatsApp and Telegram, which makes the two services popular, is also the weakness that allowed the serious bug to escape notice in this case. .

“Because the messages were encrypted on the sender’s side, WhatsApp and Telegram were blind to the content and therefore unable to prevent the sending of malicious content,” the team explains.

To prevent this issue from happening again, both services will now validate content before encryption, which should hopefully detect and remove malicious code before messages are sent.

“This new vulnerability puts hundreds of millions of WhatsApp Web and Telegram Web users at risk of a complete account takeover,” said Oded Vanunu, product vulnerability research manager at Check Point. “By simply sending an innocent-looking photo, an attacker could take control of the account, access message history, any photos that have ever been shared, and send messages on behalf of the user.”

WhatsApp caters to over a billion users worldwide, while Telegram sends over 15 messages a day to at least 100 million monthly active users. However, it’s essential to keep in mind that the security vulnerability only affects browser-based versions of apps, not mobile alternatives – which are in a completely different space when it comes to cybersecurity, vulnerabilities and attack vectors.

Speaking to ZDNet, Kenneth Whitesecurity researcher and co-director of the Open Crypto Audit Project (OCAP), noted that just because an application considers itself secure, as soon as you access it from a standard browser, some of these protections may be removed. .

The security expert believes this vulnerability disclosure can be seen as a “perfect case” for “why browser-based secure messaging apps are a train wreck”.

Check Point researchers disclosed the security flaw to WhatsApp and Telegram security teams on March 7, and the security flaw was quickly patched in web clients.

Thus, no update notification is sent directly to users; instead, users who want to make sure they’re definitely using the latest versions simply need to restart their browser.

“The reason why you don’t see any updates for apps is because they can auto-fix website code and they can also catch anyone by auto-updating code and no-one will never know,” White noted. “In the case of Signal [another secure messaging application], the Chrome desktop app is really an app, just written in JavaScript. You will have to manually update it for patches.

“But again, because you have to update it manually, you’ll also never be exposed to fake application code injected by a targeted attacker,” White said.

VIDEO: WhatsApp now offers free video calls for a billion users