Researchers have uncovered 'severe vulnerabilities' in WhatsApp and Telegram that would allow attackers to seize control of user accounts.
The two enormously popular apps use end-to-end encryption, enabling users to communicate privately.
But attackers can utilise a flaw in the way both chat apps process images and multimedia files to effectively hijack a user’s account, according to a report from security firm Check Point.
The vulnerability lies in the upload file mechanism, which enables users to attach several document types, such as Office documents, PDF, audio files, video and images.
Check Point was able to bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image, duping a recipient into clicking on it.
At that point, the WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL, Check Point said; users are then hijacked to the malicious URL.
If exploited, the vulnerability could enable remote attackers to gain access to WhatsApp's and Telegram's local storage and thus take over any user's account and siphon out personal and group conversations, photos, videos and other shared files, contact lists, and more.
The implication is that the material could then be uploaded online under the user's identity, messages could be sent in their name, and their friends' accounts could also be targeted.
"Once bypassing WhatsApp and Telegram file upload security validations, attackers can add any HTML or JavaScript code that will be executed on the other side," Oded Vanunu, head of product vulnerability research at Check Point, said.
Both apps, he said, are using image or video with malicious HTML or JavaScript code - there is no difference in the two attack methods.
With WhatsApp, once opened the code allowed attackers to get into the user's local storage and then their account. In Telegram, however, the attack required more specific actions; a user would need to open the video in a separate Chrome tab.
"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent."
The WhatsApp and Telegram mobile apps are unaffected by these vulnerabilities - the scope of the attack is limited to their web applications.
Following Check Point's disclosure of the flaw on March 7 to the security teams at WhatsApp and Telegram, the companies each quickly issued a fix. Users are advised to make certain they are using the latest version and to restart their browsers.
"Following the patch of this vulnerability, content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files," the report said.
The good news is that the flaw has not yet been detected in the wild, Vanunu said. But that does not mean users are safe, as WikiLeaks documents have provided evidence that
WhatsApp has more than one billion users worldwide, while Telegram has more than 100 million monthly active users.
.jpg&h=140&w=231&c=1&s=0)
