Two popular end-to-end encrypted messaging services WhatsApp and Telegram have patched their respective web clients against a new security vulnerability.
Researchers from Israeli firm Check Point, have discovered this security issue that allows an attacker to take over user accounts just by having a user simply click on a picture.
The hack only affected the browser-based versions of WhatsApp and Telegram. So, users relying on the mobile apps are not vulnerable to the attack.
According to Checkpoint security researchers, this vulnerability allows attackers to upload and send malicious code hidden inside HTML files.
Both WhatsApp and Telegram would show a preview image for these links, making users believe they were accessing a video or image.
Attacker’s Access to Browser’s LocalStorage
This eventually allowed attackers to take full access to the user’s account on any browser. The attacker can then view and manipulate chat sessions, access victim’s personal and group chats, photos, videos, other shared files.
To make this attack widespread, the attacker can then send the malware-laden image to everyone on the victim’s contact list.
The researchers also provided a video demonstration, given below which shows the attack in action.
Why This Vulnerability Went Undetected ?
Both WhatsApp and Telegram use end-to-end encryption for its messages to ensure that nobody, except the sender and the receiver, can read the messages in between.
However, this same end-to-end encryption security measure was also the source of this vulnerability.
WhatsApp and Telegram had no idea that malicious code was being sent to the receiver because of encryption of messages on sender’s side.
Check Point informed both WhatsApp and Telegram of this flaw last week. WhatsApp fixed the flaw within 24 hours on Thursday, March 8, while Telegram patched the issue on Monday.
The patch was a server-side fix, meaning users don’t have to do anything, instead, they need browser restart.
The fix was an update to the way both services scan transfer files. Both WhatsApp and Telegram now validate the content of file transfers before the encryption process. Now, this fix blocks malicious files from attacking.
Guys, share your information about this vulnerability in comment box.