A security vulnerability has been uncovered in the web versions of the WhatsApp and Telegram messaging apps that could allow hackers to hijack users’ accounts “in seconds”.
The flaw, uncovered by cyber security firm Check Point , could potentially give hackers access to victims’ contact lists, conversations, photos, videos and other shared files.
Attackers are able to exploit the vulnerability by sending the victim an innocent looking image file with a malicious piece of code buried inside.
As soon as the user clicks on the image, the attacker can gain full access to their WhatsApp or Telegram account.
They can then send the malicious file to all the victim’s contacts, potentially enabling a widespread attack.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” said Oded Vanunu, head of product vulnerability research at Check Point.
“By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
Check Point said the source of the vulnerability was – ironically – the end-to-end message encryption used by both WhatsApp and Telegram to protect users’ data.
Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent.
The vulnerability was disclosed to WhatsApp and Telegram on March 8. Since then, both companies have acknowledged and fixed the vulnerability.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Vanunu.
Users can ensure they are protected simply by restarting their browser. You do not need to download an new version of the software.