WhatsApp and Telegram patch massive security flaw in web services

Share on facebook
Share on twitter
Share on linkedin
Share on email

WhatsApp and Telegram have responded quickly to patch a security flaw that could have seen user accounts being hijacked by attackers.

The vulnerability was discovered by Check Point and involves an attacker sending a malicious file to a victim. The vulnerability was only present in the web applications of Telegram and WhatsApp and here’s how it would work.

An attacker would send the malicious file to the victim. This file might contain the latest meme doing the rounds or any other image tempting enough to be opened.

Upon opening the file the user would be redirected to a webpage that would in turn grant an attacker access to the victim’s account. Once inside the attacker would have full control over the victim’s account and could potentially send the malicious file along to all their contacts.

According to Check Point, the safety of encryption in WhatsApp and Telegram made this sort of attack possible. “Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” said Check Point.

You can see a demonstration of the attack on both Telegram and WhatsApp below.

The vulnerability has since been patched so that messages are checked before they are encrypted so that malicious files can be blocked

Users need only restart their browser to activate the latest version of either service.

It shouldn’t need saying but be wary of any links you are sent, whatever the platform. If you aren’t sure what something is, contact a friend or if you have access to one, your IT department.

[Image – CC BY 2.0 Sam Azgor]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.