WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher

By John Leyden

Posted in Security, 15th March 2017 14:34 GMT

Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world’s most popular messaging services.

The now-resolved vulnerability - discovered by security researchers at Check Point - would have allowed an attacker to send the victim malicious code hidden within an innocent-looking image. As soon as the user clicked on the image, the attacker would have been able to gain full access to the victim’s WhatsApp or Telegram storage data, thus giving them full access to the victim’s account.

The flaw stemmed from a loophole in the way WhatsApp and Telegram verified content that created a means for hackers to create malicious content that side-stepped the pre-encryption verification process of the mobile messaging apps.

Both WhatsApp and Telegram have fixed the vulnerability.

"This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over," says Oded Vanunu, head of product vulnerability research at Check Point. "By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user."

Check Point notified both WhatsApp and Telegram of the problem last Wednesday (8 March). Both companies acknowledged the vulnerability, and WhatsApp responded promptly by fixing the issue on Thursday 9 March. Telegram confirmed that it had fixed the problem earlier this week.

Facebook-owned WhatsApp told El Reg that it resolved the flaw just a day after being notified by Check Point.

We build WhatsApp to keep people and their information secure. When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.

WhatsApp and Telegram both use end-to-end message encryption as a data security measure. This same end-to-end encryption was also the source of this vulnerability, according to Check Point.

Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, thus unable to prevent malicious content from being sent. After fixing this vulnerability, content will now validated before the encryption, so that malicious files can be blocked.

More details on the vulnerability can be found in a blog post by Check Point here.

WhatsApp has over 1 billion users worldwide, making it the most widely used instant messaging. Telegram is a cloud-based mobile and desktop messaging app that has over 100 million monthly active users. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

Brilliant boffins back bullsh*tting bureau bollocking

Telegram still won't hand over crypto keys it says it does not store

Russian judge upholds 2016 FSB order, company will appeal

Optimus multi-prime is the new rule as OpenSSL transforms crypto policies again

If an algo ain't ratified by standards groups, it won't be welcome

Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

Cisco backs test to help classical crypto outlive quantum computers

Borg helps Isara's post-quantum PKI cert test in the hope it future-proofs TLS

F5 DROWNing, not waving, in crypto fail

Bleichenbacher, the name that always chills cryptographers' blood

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Wah, encryption makes policing hard, cries UK's National Crime Agency

Ever since Snowden it's been the default – report

EU: No encryption backdoors but, eh, let's help each other crack that crypto, oui? Ja?

You scratch my PKCS, and I'll scratch yours

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen