“The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code, Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored”
Check Point explaining in a blog post the security vulnerability affecting WhatsApp and Telegram
Instant messenger people the web Browser version of WhatsApp or Telegram isn’t safe.
Security firm Check Point reported on March 15th 2017 that they had found a security vulnerability that let hackers to take over user accounts. This means hacker could potentially see:
- Shared files
It’s bad enough that Whatsapp may already be selling out E2EE security keys to the NSA and CIA as I’d pointed out in WhatsApp and Facebook Messenger may be sharing E2EE Keys with the NSA. Now some WhatsApp 1 billion users and Telegram has 100 million daily users may find their information exposed to hackers.
Luckily, the security flaw only affects the web versions of the messengers and not the apps….so smartphone users are safe. It’s the web.whatsapp users that this security vulnerability targets; luckily so far, no one has used it in the real world, so we’re somewhat safe for now.
WhatsApp is already on the case, as already an update fix has been issued, to quote a spokesperson at WhatsApp: “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web”.
So how does this security vulnerability work?
Check Point’s hack of Whatsapp and Telegram – A funny Cat steals personal information
Check Point released the following YouTube videos demonstrating how these security vulnerabilities work. Check out the videos for the WhatsApp web vulnerability in action.
Now check out the Telegram web vulnerability in action.
The attacker could send a malicious HTML file i.e. website to the targets. A possible delivery vector could involve placing an ad in the newspaper or even distributing flyers with the website.
Thanks to E2EE (End to End Encryption) as described in Why Viber and WhatsApp going E2EE as Telecom Providers need encryption, dodging this attack is very hard, as the malicious HTML file get encrypted like a regular message.
Once clicked, the attacker can access your WhatsApp account and all associated information, as note by the Check Point in their blog post, quote: “Once the victim clicks on the document, the WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then navigates the user to this URL”.
In the case of the Telegram web interface, you’re entertained by a funny video, distracting you as the hacker access your account, quote: “Once the victim opens the video in a new browser tab, it will start playing and the users’ session data will be sent to the attacker”.
So users of WhatsApp and Telegram, upgrade your web interface or a funny cat will steal your files!
Like the post above? Check out these related posts: