A new security vulnerability has recently been patched by two popular end-to-end encrypted messaging services — WhatsApp and Telegram — that could have allowed hackers to completely take over user account just by having a user simply click on a picture.
The hack only affected the browser-based versions of WhatsApp and Telegram, so users relying on the mobile apps are not vulnerable to the attack.
According to Checkpoint security researchers, the vulnerability resided in the way both messaging services process images and multimedia files without verifying that they might have hidden malicious code inside.
For exploiting the flaw, all an attacker needed to do was sending the malicious code hidden within an innocent-looking image. Once the victim clicked on the picture, the attacker could have gained full access to the victim's WhatsApp or Telegram storage data.
This eventually allowed attackers to take full access to the user's account on any browser, view and manipulate chat sessions, access victim's personal and group chats, photos, videos, audios, other shared files and contact lists as well.
Millions of WhatsApp and Telegram accounts could have been hacked using just a PHOTO!To make this attack widespread, the attacker can then send the malware-laden image to everyone on the victim's contact list, which could, eventually, mean that one hijacked account could be led to countless compromises by leapfrogging accounts.
The researchers also provided a video demonstration, given below which shows the attack in action.
Here's Why This Vulnerability Went Undetected:
Both WhatsApp and Telegram use end-to-end encryption for its messages to ensure that nobody, except the sender and the receiver, can read the messages in between.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
However, this same end-to-end encryption security measure was also the source of this vulnerability.
Since the messages were encrypted on the side of the sender, WhatsApp and Telegram had no idea or a way of knowing, that malicious code was being sent to the receiver, and thus were unable to prevent the content from being running.
"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," the researchers writes in a blog post.WhatsApp fixed the flaw within 24 hours on Thursday, March 8, while Telegram patched the issue on Monday.
Since the fixes have been applied on the server end, users don't have to update any app to protect themselves from the attack; instead, they just need a browser restart.
"It's a big vulnerability in a significant service," said Oded Vanunu, head of product vulnerability research at Check Point. "Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients."WhatsApp did not notice any abuse of the vulnerability, while Telegram claimed the flaw was less severe than WhatsApp, as it required the victim to right click on the image content and then open it in a new window or tab for the malicious code to run and exploit its users.
After fixing this flaw, content on the web versions of both WhatsApp and Telegram will now be validated before the end-to-end encryption comes into play, allowing malicious files to be blocked.