WhatsApp & Telegram Patch ‘Severe’ Vulnerabilities

Researchers at Check Point has warned of a “new severe vulnerability” for WhatsApp and Telegram, specifically related to the web versions of the end-to-end encrypted chat applications.

It comes after the recent WikiLeaks publication of sensitive US intelligence data revealed that American spy agencies like the CIA supposedly had the ability to bypass the encryption on WhatsApp, Telegram and Signal.

Severe Flaws

Check Point noted in a blog posting that these revelations had yet to be proven, but admitted that the development was “concerning.”

Messaging apps such as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy, the researchers said. “This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.”

“Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web,” wrote Check Point. “The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.”

Alarmingly, it seems that attackers could exploit the flaw to gain full control of user accounts.

“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more,” warned Check Point. “This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.”

A video demonstration of Check Point researchers taking control of a WhatsApp and Telegram account can be found here and here.

The attacker is able to gain control of the victims account by sending a seemingly innocent looking file to the victim, which contains malicious code.

If the user clicks to open the image, the attacker is then able to access the local storage, where user data is stored.

What is even worse is the attacker has full access to the user’s account. They can then send the malicious file to the all victim’s contacts, which could further spread the vulnerability.

According to Check Point, since messages were encrypted without being validated first, WhatsApp and Telegram are blind to the content, thus making them unable to prevent malicious content from being sent.

Check Point did however act in a responsible manner and disclosed the flaw to WhatsApp’s and Telegram’s security teams on 7 March. Both firms developed fix for web clients worldwide soon after that.

“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said added Vanunu of Check Point. “WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.”

It seems that the patch means that content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files.

Security Scares

This is not the first time that WhatsApp has been at the centre of a security scare.

Earlier this year, Tobias Belter, a security researcher at the University of California, Berkeley, claimed to have a discovered ‘backdoor’ within WhatsApp that could allow governments or others to intercept supposedly encrypted messages.

The Facebook-owned messaging application has been especially vocal about its encryption capabilities, but said it already knew about the issue and that it was “expected behaviour.”

And in 2015 the Electronic Frontier Foundation’s (EFF) awarded WhatsApp just one star out of a possible five for security.

It awarded just one star as WhatsApp opposed back doors in its software, but also because it failed to disclose government-issued data requests and disclose policies on data retention.

Quiz: What do you know about Facebook?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

3 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

3 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

3 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

3 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

3 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago