Check Point researchers have revealed in a press release a new vulnerability on WhatsApp & Telegram's online platforms – WhatsApp Web & Telegram Web – two of the world's most popular messaging services.
By exploiting this vulnerability, attackers could completely take over user accounts, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account takeover,” says Oded Vanunu, head of product vulnerability research at Check Point. “By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
The vulnerability allows an attacker to send the victim malicious code, hidden within an innocent looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim's WhatsApp or Telegram storage data, thus giving full access to the victim's account. The attacker can then send the malicious file to all the victim's contacts, potentially enabling a widespread attack.
Alex Mathews, lead security evangelist at Positive Technologies said: “One billion people now use Whatsapp and 100m Telegram. Given the fact such services are deeply ingrained in a massive portion of the world's daily lives, they are going to be an emerging target for attacks of all kinds. When you raise your head above the parapet, people look to knock it off for nefarious gain. This is the unfortunate truth of today's digitally reliant world. The security research community plays a vital part in addressing this problem, helping companies in positions of influence find vulnerabilities and weaknesses in their approach and assisting with fixes. The quick response of both Whatsapp and Telegram in this case is a positive sign of this process at work.”
Check Point disclosed this information to the WhatsApp and Telegram security teams on 8 March 2017. WhatsApp and Telegram acknowledged the security issue and developed fixes for worldwide web clients. “Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp Web users wishing to ensure that they are using the latest version are advised to restart their browser.
WhatsApp and Telegram use end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between. Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent. After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.
Both web versions mirror all messages sent and received by the user on the mobile app, and are fully synced with users' devices
WhatsApp has over one billion users worldwide, making it the most prevalent instant messaging service available today. The company's web version is available on all browsers and WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones. Telegram is a cloud-based mobile and desktop messaging app that has over 100 million monthly active users, delivering over 15 billion messages daily.
Professor Giovanni Vigna, co-founder, malware detection firm Lastline said: "This flaw shows how difficult it is to balance security and usability. WhatsApp did the right thing by encrypting the content, but by doing it too early in the message analysis pipeline, they could not determine that a message might be crafted to contain malicious code. This code could then access malicious information, which could be used to log into a user's account for the web application. This flaw could be easily mitigated by using 2-factor authentication (recently introduced by WhatsApp), which has been proven to be one of the best security mechanisms to prevent widespread compromise."
Mark James, security specialist at ESET: “As the bad guys get smarter our applications need to keep up. More and more of our communications are open to abuse from cyber-criminals and the opportunistic eavesdropper. One of the ways to get around this process is using something called end-to-end message encryption. WhatsApp states that “When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.” I.e. I encrypt it (automatically) from my application before I send it and you decrypt it at your end when you receive it. That means if anyone compromises the data in transit they are unable to use or identify anything within it, and there lies the problem - it limits your options for checking for anything malicious. Luckily this only affected the web platform so once resolved by WhatsApp themselves it only requires a browser restart.”