A flaw in in the web version of Telegram and WhatsApp has been discovered that via a specially crafted image, allows a hacker to hijack the account. The flaw was discovered by CheckPoint and here’s what you need to know:
The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.
The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.
Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
For those of you who are more visual, here’s a video of the pwnage in action:
The good news is that this is already fixed by both parties. And better yet, the phone app appears not to be affected. Still, I’d advise that users of either web app avoid opening suspicious files and links from unknown users and flush your browser cache every once in a while.