Published On: Wed, Mar 15th, 2017

How One Cat Image Could Have Hijacked Your WhatsApp or Telegram Account

A disadvantage found in a web versions of WhatsApp and Telegram could have been exploited to silently meddler over user accounts. Security researchers disclosed a disadvantage to a open progressing currently after a dual renouned messaging apps bound a flaw.

The vulnerability would have “allowed enemy to totally take over users’ accounts on any browser, and entrance victims’ personal and organisation conversations, photos, videos and other common files, hit lists, and more,” confidence experts during Check Point wrote. “Attackers could potentially download your photos and or post them online, send messages on your behalf, direct ransom, and even take over your friends’ accounts.”

WhatsApp and Telegram disadvantage – how it works

The disadvantage authorised an assailant to emanate antagonistic formula and censor it within an design or video, and send it to a aim WhatsApp or Telegram user. When a plant opens this trusting looking record containing antagonistic code, a antagonistic record authorised a assailant to entrance WhatsApp’s and Telegram’s internal storage, where user information is stored.

Once this HTML inject was uploaded and was encrypted and delivered to a other side [the WhatsApp server], a other side was digest this HTML, innocent-looking design and executed a formula that was hidden a internal storage of a user.

From here on, enemy could benefit full entrance to a user comment and data, including messages and photos. Since a assailant gets a finish control over a victim’s messaging app, they can also send this antagonistic record to all a victim’s contacts, serve augmenting their aim base.

The smirch is believed to have been inspiring WhatsApp given a launch in Jan 2015. The company, however, responded fast to a bug news and bound it in reduction than 24 hours of being reported. The smirch was reportedly patched on Thursday, Mar 8.

Encryption indeed adored attackers

The Facebook-owned messaging use bound a vicious confidence disadvantage by forcing validation of calm before encryption so that antagonistic files can be blocked. Previously, a end-to-end encryption was operative in preference of enemy given a summary calm wasn’t being certified by a messaging services.

Since messages were encrypted but being certified first, WhatsApp and Telegram were blind to a content, so creation them incompetent to forestall antagonistic calm from being sent.

WhatsApp has over 1.3 billion users, however, it’s misleading how many of them use WhatsApp Web. “When Check Point reported a issue, we addressed it within a day and expelled an refurbish of WhatsApp for web,” WhatsApp said. “To safeguard that we are regulating a latest version, greatfully restart your browser.”

Telegram claimed that a problems aren’t as serious given a second step was compulsory by a users for a feat to work. “The WhatsApp box was some-more serious by several degrees of magnitude since it didn’t need any actions from a aim user solely for opening a perceived attachment,” Markus Ra, Telegram’s conduct of support and open relations, said. “So an assailant could take over an comment if a aim simply non-stop a humorous cat design and did zero else.”

Telegram users had to right click on a design calm and select to open it in a new window or add-on for a antagonistic formula to execute. However, while WhatsApp Web users are alerted if some-more than one event is active, Telegram allows mixed active sessions, that means victims weren’t alerted if an unapproved user logged into their comment during a same time.

Both a messaging apps explain that there is no record of abuse of this vulnerability.

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>