WhatsApp and Telegram are two instant messaging apps that have more than a billion users between them. They offer encrypted communications, convenient messaging, and a bunch of other features that don’t get the headlines. But new research reveals that a malware-injected image would have been enough to steal someone’s WhatsApp or Telegram web accounts. It’d take only a few seconds after which the attacker would gain complete control over accounts, including access to images, video, audio files, and contacts. And encryption would actually help with this sort of hack.
The vulnerability worked on the desktop versions of the apps, so if you’re not using WhatsApp or Telegram on your computer, then you were already safe.
According to Checkpoint security researchers, the vulnerability resided in the way both messaging services process images and multimedia files without verifying that they might have hidden malicious code inside.
For exploiting the flaw, all an attacker needed to do was sending the malicious code hidden within an innocent-looking image. Once the victim clicked on the picture, the attacker could have gained full access to the victim’s WhatsApp or Telegram storage data.
To make this attack widespread, the attacker can then send the malware-laden image to everyone on the victim’s contact list, which could, eventually, mean that one hijacked account could be led to countless compromises by leapfrogging accounts.
Check Point said it had not tested attacks against Signal, the encrypted communications app. The cryptography that powers Signal is deployed across WhatsApp, and the former remains the de facto king of private calls and texts. It’s been recommended by congressmen, cryptographers, and the best-known leaker on the planet, Edward Snowden.