Web Versions of WhatsApp, Telegram Vulnerable to Hackers

One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to be proven, many end-users are concerned as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy. This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.

Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web. The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.

This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more. This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code. The file can be modified to contain attractive content to raise the chances a user will open it. Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

Check Point disclosed this information to WhatsApp’s and Telegram’s security teams on March 7th. Both companies have verified and acknowledged the security issue and developed a fix for web clients worldwide soon after. “Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.

Following the patch of this vulnerability, content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files.

While WhatsApp & Telegram have patched this vulnerability, as a general practice we recommend the following preventive measures:

1. Periodically clean logged-in computers from your WhatsApp & Telegram. This will allow you to control the devices that are hosting your account, and shut down unwanted activity.
2. Avoid opening suspicious files and links from unknown users.

View demo of WhatsApp Web Account Takeover

View demo of Telegram Web Account Takeover

Read full post on Check Point.