Messaging apps WhatsApp and Telegram are popular for the end-to-end encryption services they provide, ensuring that messages are visible only to a sender and intended recipient. However, a recently discovered vulnerability in these messaging apps would have allowed the malicious takeover over entire accounts had it not been corrected, completely bypassing the encryption for sent and received messages, files and contact lists.
If a user were to upload an image containing malicious code, the attacker could exploit the vulnerability in the online platform to gain full access to stored data for either messaging service, thereby taking over the entire account.
The problem, as discovered by researchers at CheckPoint, is in the online platform for both messaging services: WhatsApp Web and Telegram Web. All messages sent and received by the user are mirrored to the online platform, which is synced with all user devices.
Each app allows the user to attach files to a message, which include video, image, and PDF files. The researchers were able to use a malicious HTML document disguised as a legitimate image preview to trick users into clicking on the document.
Once clicked, the web platform navigates the user to a unique URL to view the image. The user’s local storage data is then automatically sent to the attacker without any further actions required by the victim.
At that point the attacker has access to all of the victim’s conversations, both individual and group chats, as well as photos, videos, shared files and contact lists. The attacker could then demand ransom, release photos and videos online, or send damaging messages using the victim’s identity.
Further, once the attacker has completed the account takeover, the original image containing the malicious code could be sent to the victim’s entire contact list.
Users of WhatsApp would have an indication that there was a problem with their account, as the app only allows one active session at a time, so a victim would receive a message notifying them that a current session was running on another device. Telegram, however, allows an unlimited number of active sessions, so users would have a more difficult time knowing if their account had been accessed.
CheckPoint disclosed the vulnerability to WhatsApp and Telegram on March 7th, and both companies have created a fix and encourage users to restart their web browsers in order to ensure that they are running the most recent version of the app.