How One Cat Image Could Have Hijacked Your WhatsApp or Telegram Account
A vulnerability found in the web versions of WhatsApp and Telegram could have been exploited to silently snoop over user accounts. Security researchers disclosed the vulnerability to the public earlier today after the two popular messaging apps fixed the flaw.
The vulnerability would have “allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more,” security experts at Check Point wrote. “Attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.”
WhatsApp and Telegram vulnerability – how it works
The vulnerability allowed an attacker to create malicious code and hide it within an image or video, and send it to the target WhatsApp or Telegram user. When the victim opens this innocent looking file containing malicious code, the malicious file allowed the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored.
Once this HTML inject was uploaded and was encrypted and delivered to the other side [the WhatsApp server], the other side was rendering this HTML, innocent-looking image and executed the code that was stealing the local storage of the user.
From here on, attackers could gain full access to the user account and data, including messages and photos. Since the attacker gets a complete control over the victim’s messaging app, they can also send this malicious file to all the victim’s contacts, further increasing their target base.
The flaw is believed to have been affecting WhatsApp since its launch in January 2015. The company, however, responded quickly to the bug report and fixed it in less than 24 hours of being reported. The flaw was reportedly patched on Thursday, March 8.
Encryption actually favored attackers
The Facebook-owned messaging service fixed the critical security vulnerability by forcing validation of content before encryption so that malicious files can be blocked. Previously, the end-to-end encryption was working in favor of attackers because the message content wasn’t being validated by the messaging services.
Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
WhatsApp has over 1.3 billion users, however, it’s unclear how many of them use WhatsApp Web. “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web,” WhatsApp said. “To ensure that you are using the latest version, please restart your browser.”
Telegram claimed that its problems aren’t as severe since a second step was required by the users for the exploit to work. “The WhatsApp case was more severe by several degrees of magnitude since it didn’t require any actions from the target user except for opening a received attachment,” Markus Ra, Telegram’s head of support and public relations, said. “So an attacker could take over an account if the target simply opened a funny cat picture and did nothing else.”
Telegram users had to right click on the image content and choose to open it in a new window or tab for the malicious code to execute. However, while WhatsApp Web users are alerted if more than one session is active, Telegram allows multiple active sessions, which means victims weren’t alerted if an unauthorized user logged into their account at the same time.
Both the messaging apps claim that there is no record of abuse of this vulnerability.