WhatsApp and Telegram are two instant messaging apps that have more than a billion users between them. They offer encrypted communications, convenient messaging, and a bunch of other features that don’t get the headlines. But new research reveals that a malware-injected image would have been enough to steal someone’s WhatsApp or Telegram web accounts. It’d take only a few seconds after which the attacker would gain complete control over accounts, including access to images, video, audio files, and contacts. And encryption would actually help with this sort of hack.
The vulnerability worked on the desktop versions of the apps, so if you’re not using WhatsApp or Telegram on your computer, then you were already safe.
Security researchers found that malicious code can be hidden inside an image. When clicked, the picture file executes the code, and the attacker gets full access to the WhatsApp and/or Telegram storage data. The attacker could then send the file to all of the victim’s contacts, spreading the malware to other targets.
Discovered by Check Point, the vulnerability was shared with WhatsApp and Telegram on March 8th, and both companies have already deployed fixes for their desktop clients.
Interestingly, it’s the end-to-end encryption feature of these apps that would have helped hackers take advantage of the flaw. Because the contents of chats are end-to-end encrypted, it means that neither WhatsApp nor Telegram could see the malware hidden in a shared malicious image. That means both companies would be blind to the content, allowing malicious code to be passed back and forth between users.
Henceforward, content will be validated before the encryption, Check Point explains, which would block malicious files.