Menu
Malicious uploads allowed hijacking of WhatsApp and Telegram accounts

Malicious uploads allowed hijacking of WhatsApp and Telegram accounts

The companies patched the account takeover vulnerability after it was privately reported to them

A vulnerability patched in the web-based versions of encrypted communications services WhatsApp and Telegram would have allowed attackers to take over accounts by sending users malicious files masquerading as images or videos.

The vulnerability was discovered last week by researchers from Check Point Software Technologies and was patched by the WhatsApp and Telegram developers after the company privately shared the flaw's details with them.

The web-based versions of WhatsApp and Telegram synchronize automatically with the apps installed on users' phones. At least in the case of WhatsApp, once paired using a QR code, the phone needs to have an active internet connection for WhatsApp messages to be relayed to the browser on the computer.

Both web-based apps allow users to upload certain types of files like images and videos and have mechanisms checks in place to ensure that only those file types are used. However, the Check Point researchers have found a way to bypass those verifications and upload HTML files instead. Furthermore, they could make those files mimic images and videos, making them less suspicious and more attractive for users to open.

Since any HTML code executed in the context of those web apps would inherit their permissions inside the browser, attackers could have used use this technique to steal the local storage contents of those apps and upload them to a remote server. If placed in the attackers browsers, the contents could allow them to authenticate as the targeted users.

This means attackers could have gained access to the victims' message histories and shared files and could even have sent messages on their behalf, potentially compromising their contacts in a worm-like attack.

Check Point reported the vulnerability to both companies on March 8. Since the code of the web apps is loaded directly from the WhatsApp and Telegram servers, users don't need to do anything to get the patch. The companies have fixed the issues server-side.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments