Flaw in web versions of WhatsApp, Telegram put accounts at risk

The way WhatsApp and Telegram encrypted messages without validation meant that the companies had no idea, and no way of knowing, that malicious code was being sent. Included in this list are popular, secure chat apps WhatsApp and Telegram, and Check Point software has just released details of a vulnerability that left millions of user accounts exposed to hackers. At least in the case of WhatsApp, once paired using a QR code, the phone needs to have an active internet connection for WhatsApp messages to be relayed to the browser on the computer.

This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more.

There is no evidence that the flaw was used by hackers but a spokesperson for Check Point says it had been present on the platforms for a significant time period and put "hundreds of millions" of accounts at risk. When the victim opens this innocent looking file containing malicious code, the malicious file allowed the attacker to access WhatsApp's and Telegram's local storage, where user data is stored.

Due to both apps' end-to-end encryption it was impossible, the firm claims, for them to prevent the malicious file from being sent.

This threat has been patched over since 8th march and is no longer a problem.

"Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients".

As such, there is no notification of an update sent directly to users; instead, users who want to make sure they are definitely using the latest versions should simply restart their browser.

The security company demonstrated the security flaw for both messaging applications in videos posted to YouTube. It was also possible for the Check Point researchers to use JavaScript to override the message that appears saying WhatsApp web is being used in another location.

"However, Check Point's research team has managed to bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to take over his account".

Nevertheless, the fact malicious files hidden the way Check Point's researchers slipped them in was indeed a security design error, he said.

Telegram's flaw was much more subtle and required "very unusual" behavior by the victim, such as right-clicking on a video and opening a new tab, said spokesman Markus Ra.

  • Arturo Norris