‘Severe vulnerability’ found with encrypted chat apps that could allow attackers to take complete control of user accounts
Researchers at Check Point has warned of a “new severe vulnerability” for WhatsApp and Telegram, specifically related to the web versions of the end-to-end encrypted chat applications.
It comes after the recent WikiLeaks publication of sensitive US intelligence data revealed that American spy agencies like the CIA supposedly had the ability to bypass the encryption on WhatsApp, Telegram and Signal.
Check Point noted in a blog posting that these revelations had yet to be proven, but admitted that the development was “concerning.”
Messaging apps such as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy, the researchers said. “This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.”
“Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web,” wrote Check Point. “The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.”
Alarmingly, it seems that attackers could exploit the flaw to gain full control of user accounts.
“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more,” warned Check Point. “This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.”
The attacker is able to gain control of the victims account by sending a seemingly innocent looking file to the victim, which contains malicious code.
If the user clicks to open the image, the attacker is then able to access the local storage, where user data is stored.
What is even worse is the attacker has full access to the user’s account. They can then send the malicious file to the all victim’s contacts, which could further spread the vulnerability.
According to Check Point, since messages were encrypted without being validated first, WhatsApp and Telegram are blind to the content, thus making them unable to prevent malicious content from being sent.
Check Point did however act in a responsible manner and disclosed the flaw to WhatsApp’s and Telegram’s security teams on 7 March. Both firms developed fix for web clients worldwide soon after that.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said added Vanunu of Check Point. “WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.”
It seems that the patch means that content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files.
This is not the first time that WhatsApp has been at the centre of a security scare.
Earlier this year, Tobias Belter, a security researcher at the University of California, Berkeley, claimed to have a discovered ‘backdoor’ within WhatsApp that could allow governments or others to intercept supposedly encrypted messages.
The Facebook-owned messaging application has been especially vocal about its encryption capabilities, but said it already knew about the issue and that it was “expected behaviour.”
And in 2015 the Electronic Frontier Foundation’s (EFF) awarded WhatsApp just one star out of a possible five for security.
It awarded just one star as WhatsApp opposed back doors in its software, but also because it failed to disclose government-issued data requests and disclose policies on data retention.