The researchers at Check Point Security have today revealed that the web portal of popular encrypted messaging apps — WhatsApp and Telegram were vulnerable to attacks from hackers. This bug targetted user accounts via innocent-looking images and multimedia files, which appeared normal on the surface but opened malicious HTML links.
By exploiting this vulnerability, hackers had the ability to gain access to your accounts on either of the two messaging apps. It provided them access to everything ranging from your contacts list and personal or group conversation to photos, videos, and other shared files using the web browser. This means over a billion WhatsApp users and 100 million Telegram users were in danger of being hacked.
Speaking on the same in the blog post, Oded Vanunu, head of product vulnerability research at Check Point said,
This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser. This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.
The origin of this vulnerability is said to be the encryption mechanism which the messaging giants have specifically applied to protect us from intrusion. The timing of this discovery is also significant as leaked Wikileaks documents have suggested that U.S investigators have hacking tools to bypass these encryption techniques. They are said to have cracked both Android and iOS devices, which makes the messages readable before encryption.
End-to-end encryption (E2EE) is meant to prevent others from accessing our messages, ensuring that only people conversing at an instant can read the messages. But, Check Point defends them on this point saying that they wouldn’t have been able to read your encrypted messages, so there was no way of detecting the flaw. The same argument made it easier for the hacker to slip through malicious code through the encrypted walls of these messaging apps.
Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
As for WhatsApp, the researchers mention that the vulnerability was more accessible as compared to Telegram. The Facebook-owned messaging client only required users to click to open an image and the malicious code granted hackers access to user information. The process for exploiting the flaw was, however, pretty unusual in Telegram. It saw the user first click on the multimedia file to run it and then open it up in a new Chrome tab, thus, giving the hacker access to your account.
Further, Check Point continues to add that it disclosed the significant vulnerability to WhatsApp and Telegram on March 7. Both the messaging giants acknowledged the bug and have issued an update after changing file upload validation protocols for the web portals. Currently, it is unknown whether the bug was exploited by hackers to access certain user accounts or not.
But, since WhatsApp and Telegram have both rolled out an updated and more secure version of their browser portal, we’ recommend you to shut down your web browser and restart it. This will refresh the current instance of the web portals, thus, making it completely safe to access conservations. WhatsApp might also show you notifications to refresh the web page to apply and use the said update.