WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher


Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world’s most popular messaging services.

The now-resolved vulnerability - discovered by security researchers at Check Point - would have allowed an attacker to send the victim malicious code hidden within an innocent-looking image. As soon as the user clicked on the image, the attacker would have been able to gain full access to the victim’s WhatsApp or Telegram storage data, thus giving them full access to the victim’s account.

The flaw stemmed from a loophole in the way WhatsApp and Telegram verified content that created a means for hackers to create malicious content that side-stepped the pre-encryption verification process of the mobile messaging apps.

Both WhatsApp and Telegram have fixed the vulnerability.

"This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over," says Oded Vanunu, head of product vulnerability research at Check Point. "By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user."

Check Point notified both WhatsApp and Telegram of the problem last Wednesday (8 March). Both companies acknowledged the vulnerability, and WhatsApp responded promptly by fixing the issue on Thursday 9 March. Telegram confirmed that it had fixed the problem earlier this week.

Facebook-owned WhatsApp told El Reg that it resolved the flaw just a day after being notified by Check Point.

We build WhatsApp to keep people and their information secure. When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.

WhatsApp and Telegram both use end-to-end message encryption as a data security measure. This same end-to-end encryption was also the source of this vulnerability, according to Check Point.

Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, thus unable to prevent malicious content from being sent. After fixing this vulnerability, content will now validated before the encryption, so that malicious files can be blocked.

More details on the vulnerability can be found in a blog post by Check Point here.

WhatsApp has over 1 billion users worldwide, making it the most widely used instant messaging. Telegram is a cloud-based mobile and desktop messaging app that has over 100 million monthly active users. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019