Malicious uploads allowed hijacking of WhatsApp and Telegram accounts
Security

Malicious uploads allowed hijacking of WhatsApp and Telegram accounts

A vulnerability patched in the web-based versions of encrypted communications services WhatsApp and Telegram would have allowed attackers to take over accounts by sending users malicious files masquerading as images or videos.

The vulnerability was discovered last week by researchers from Check Point Software Technologies and was patched by the WhatsApp and Telegram developers after the company privately shared the flaw's details with them.

The web-based versions of WhatsApp and Telegram synchronize automatically with the apps installed on users' phones. At least in the case of WhatsApp, once paired using a QR code, the phone needs to have an active internet connection for WhatsApp messages to be relayed to the browser on the computer.

Both web-based apps allow users to upload certain types of files like images and videos and have mechanisms checks in place to ensure that only those file types are used. However, the Check Point researchers have found a way to bypass those verifications and upload HTML files instead. Furthermore, they could make those files mimic images and videos, making them less suspicious and more attractive for users to open.

Since any HTML code executed in the context of those web apps would inherit their permissions inside the browser, attackers could have used use this technique to steal the local storage contents of those apps and upload them to a remote server. If placed in the attackers browsers, the contents could allow them to authenticate as the targeted users.

This means attackers could have gained access to the victims' message histories and shared files and could even have sent messages on their behalf, potentially compromising their contacts in a worm-like attack.

Check Point reported the vulnerability to both companies on March 8. Since the code of the web apps is loaded directly from the WhatsApp and Telegram servers, users don't need to do anything to get the patch. The companies have fixed the issues server-side.

IDG Insider

PREVIOUS ARTICLE

«Battlefield 1: They Shall Not Pass's brutal new mode shines on Battlefield's grimmest map ever

NEXT ARTICLE

Microsoft Teams takes on Slack with enterprise bots, Office 365 tie-ins»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?