WhatsApp and Telegram were notified of a shared problem

Mar 15, 2017 15:55 GMT  ·  By

WhatsApp and Telegram have patched critical flaws in their apps that could allow attackers to gain control over user accounts. 

According to researchers from Check Point Software Technologies, they discovered issues with the way the two apps process several types of files without checking to see if they contain malicious code.

They mention that the online versions of these platforms - WhatsApp Web and Telegram Web - mirror all messages sent and received by the user, being fully synced with the smart device. If exploited, the vulnerability they found could allow attackers to completely take over users' accounts on any browser, access their personal and group conversations, photos, videos and other shared files, as well as contact lists and basically any other information they share with the app. That translates into someone stealing your photos, sending messages in your name, demanding ransom, and so on.

So how does this work? Well, it all starts with the attacker sending a file that looks innocent to the victim, but which contains malicious code. The file can be easily modified to make sure the victim takes the bait and opens it. Once it is opened, the attacker can go ahead and "own" the account.

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," researchers note in their post.

The vulnerability was disclosed to WhatsApp and Telegram last week, and they've both rolled out updates for their web clients soon after. All users need to do to get the update is restart their browser, so it's probably safe to say everyone is now protected.

The impact of this bug is massive. WhatsApp has over 1 billion users worldwide, and Telegram has another 100 million monthly users. It's unknown at this point what percentage of these numbers use the web platforms provided by the apps.

The technical details

In the case of WhatsApp, Check Point researchers managed to bypass the restrictions set by the app's mechanism by uploading a malicious HTML document with a legitimate preview of an image to fool a victim into thinking they were clicking on a link to view a cool cat picture, or whatever else may interest them.

Once the victim clicks on the document, the URL is accessed and users can say good-bye to their accounts. "Once he clicks on the file, the victim will see a funny cat under blob object which is an html5 FileReader object under web.whatsapp.com. That means the attacker can access the resources in the browser under web.whatsapp.com," the post reads.

The user doesn't have to do anything else because just clicking on the link makes the victim's local storage data available to the attacker. Via a JavaScript function that checks frequently for new data, the local storage is replaced with the victim's.

The attack on Telegram works pretty much the same with the attackers having to bypass the upload policy in order to upload a malicious HTML document with a mime type of a video file. Once the file is accessed, the attacker can get its hands on the users' data.

Thankfully, however, this problem has been fixed. It is unknown if anyone else picked up on the problem before it was reported to the two companies.

"This flaw shows how difficult it is to balance security and usability. WhatsApp did the right thing by encrypting the content, but by doing it too early in the message analysis pipeline, they could not determine that a message might be crafted to contain malicious code. This code could then access malicious information, which could be used to log into a user’s account for the web application. This flaw could be easily mitigated by using 2-factor authentication (recently introduced by WhatsApp), which has been proven to be one of the best security mechanisms to prevent wide-spread compromise," said Professor Giovanni Vigna, co-founder of malware detection firm Lastline.

“As the bad guys get smarter our applications need to keep up. More and more of our communications are open to abuse from cybercriminals and the opportunistic eaves dropper. One of the ways to get around this process is using something called end-to-end message encryption. WhatsApp states that “When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.” I.e. I encrypt it (automatically) from my application before I send it and you decrypt it at your end when you receive it. That means if anyone compromises the data in transit they are unable to use or identify anything within it, and there lies the problem - it limits your options for checking for anything malicious. Luckily this only affected the web platform so once resolved by WhatsApp themselves it only requires a browser restart," added Mark James, security specialist at ESET.

Updated to include expert commentary.