WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher

By John Leyden


Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world’s most popular messaging services.

The now-resolved vulnerability - discovered by security researchers at Check Point - would have allowed an attacker to send the victim malicious code hidden within an innocent-looking image. As soon as the user clicked on the image, the attacker would have been able to gain full access to the victim’s WhatsApp or Telegram storage data, thus giving them full access to the victim’s account.

The flaw stemmed from a loophole in the way WhatsApp and Telegram verified content that created a means for hackers to create malicious content that side-stepped the pre-encryption verification process of the mobile messaging apps.

Both WhatsApp and Telegram have fixed the vulnerability.

"This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over," says Oded Vanunu, head of product vulnerability research at Check Point. "By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user."

Check Point notified both WhatsApp and Telegram of the problem last Wednesday (8 March). Both companies acknowledged the vulnerability, and WhatsApp responded promptly by fixing the issue on Thursday 9 March. Telegram confirmed that it had fixed the problem earlier this week.

Facebook-owned WhatsApp told El Reg that it resolved the flaw just a day after being notified by Check Point.

We build WhatsApp to keep people and their information secure. When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.

WhatsApp and Telegram both use end-to-end message encryption as a data security measure. This same end-to-end encryption was also the source of this vulnerability, according to Check Point.

Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, thus unable to prevent malicious content from being sent. After fixing this vulnerability, content will now validated before the encryption, so that malicious files can be blocked.

More details on the vulnerability can be found in a blog post by Check Point here.

WhatsApp has over 1 billion users worldwide, making it the most widely used instant messaging. Telegram is a cloud-based mobile and desktop messaging app that has over 100 million monthly active users. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

MIT to Oz: Crypto-busting laws risk banning security tests

I see the red team and I want it painted black

Good news! Only half of Internet of Crap apps fumble encryption

Updated Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired

It's official: Chocolate Factory anoints Tink crypto as Google project

Crypto library mainstreamed as version 1.2.0 lands on GitHub

ETSI crypto-based access control standards land

Need GDPR compliance now? Ask us how!

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

Brilliant boffins back bullsh*tting bureau bollocking

Encryption? This time it'll be usable, Thunderbird promises

A generation that tried the PGP plugin weeps

Huawei enterprise comms kit has a TLS crypto bug

You don't want insecure kit from a vendor the Pentagon hates, do you?

German e-government SDK patched against ID spoofing vulnerability

Alice becomes Bob

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

Security experts frantically facepalming at stupid design

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first