WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher

By John Leyden


Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world’s most popular messaging services.

The now-resolved vulnerability - discovered by security researchers at Check Point - would have allowed an attacker to send the victim malicious code hidden within an innocent-looking image. As soon as the user clicked on the image, the attacker would have been able to gain full access to the victim’s WhatsApp or Telegram storage data, thus giving them full access to the victim’s account.

The flaw stemmed from a loophole in the way WhatsApp and Telegram verified content that created a means for hackers to create malicious content that side-stepped the pre-encryption verification process of the mobile messaging apps.

Both WhatsApp and Telegram have fixed the vulnerability.

"This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over," says Oded Vanunu, head of product vulnerability research at Check Point. "By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user."

Check Point notified both WhatsApp and Telegram of the problem last Wednesday (8 March). Both companies acknowledged the vulnerability, and WhatsApp responded promptly by fixing the issue on Thursday 9 March. Telegram confirmed that it had fixed the problem earlier this week.

Facebook-owned WhatsApp told El Reg that it resolved the flaw just a day after being notified by Check Point.

We build WhatsApp to keep people and their information secure. When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.

WhatsApp and Telegram both use end-to-end message encryption as a data security measure. This same end-to-end encryption was also the source of this vulnerability, according to Check Point.

Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, thus unable to prevent malicious content from being sent. After fixing this vulnerability, content will now validated before the encryption, so that malicious files can be blocked.

More details on the vulnerability can be found in a blog post by Check Point here.

WhatsApp has over 1 billion users worldwide, making it the most widely used instant messaging. Telegram is a cloud-based mobile and desktop messaging app that has over 100 million monthly active users. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

It's official: Chocolate Factory anoints Tink crypto as Google project

Crypto library mainstreamed as version 1.2.0 lands on GitHub

ETSI crypto-based access control standards land

Need GDPR compliance now? Ask us how!

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

Brilliant boffins back bullsh*tting bureau bollocking

Huawei enterprise comms kit has a TLS crypto bug

You don't want insecure kit from a vendor the Pentagon hates, do you?

MikroTik routers grab their pickaxes, descend into the crypto mines

Hacker slips CoinHive code onto network appliances

Telegram still won't hand over crypto keys it says it does not store

Russian judge upholds 2016 FSB order, company will appeal

Optimus multi-prime is the new rule as OpenSSL transforms crypto policies again

If an algo ain't ratified by standards groups, it won't be welcome

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

Here's a fab idea: Get crypto libs to warn devs when they screw up

Security is a process that requires hitting people over the head with their errors