Web version of WhatsApp messenger was at risk from malicious files
A single dodgy image could let attackers read your WhatsApp messages – but only through the browser-based version of the messaging app.
Security firm Check Point spotted the flaw in Facebook-owned WhatsApp and Telegram, though it only affects the web-based versions of those tools, not the mobile apps themselves. It’s triggered by sending a malicious file, such as a photo.
“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more,” noted Check Point’s researchers in a blog post. “This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.”
To use the flaw, attackers would send a file to the target that looked innocent but contained malicious code, which opens up access to let the hacker grab data. It takes advantage of WhatsApp’s encryption, which protects an image from being viewed without validating it first. That means the malicious file can sneak through.
“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” Check Point’s researchers noted.
The flaw was reported to WhatsApp and Telegram on 7 March, with a patch already rolled out. Anyone using the web version of either messaging app should make sure they restart the browser to ensure they are using the latest version.
Director of the Kent Cyber Security Centre, Eerke Boiten, agreed, saying it was worth stressing it’s not encryption that’s at issue, but malicious files.