Dodgy pics sneak into WhatsApp web

Web version of WhatsApp messenger was at risk from malicious files

A single dodgy image could let attackers read your WhatsApp messages but only through the browser-based version of the messaging app.

Security firm Check Point spotted the flaw in Facebook-owned WhatsApp and Telegram, though it only affects the web-based versions of those tools, not the mobile apps themselves. It's triggered by sending a malicious file, such as a photo.

"This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more," noted Check Point's researchers in a blog post. "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts."

To use the flaw, attackers would send a file to the target that looked innocent but contained malicious code, which opens up access to let the hacker grab data. It takes advantage of WhatsApp's encryption, which protects an image from being viewed without validating it first. That means the malicious file can sneak through.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," Check Point's researchers noted.

The flaw was reported to WhatsApp and Telegram on 7 March, with a patch already rolled out. Anyone using the web version of either messaging app should make sure they restart the browser to ensure they are using the latest version.

Director of the Kent Cyber Security Centre, Eerke Boiten, agreed, saying it was worth stressing it's not encryption that's at issue, but malicious files.

"That they cannot be spotted is being blamed on the fact that they're encrypted - but spotting malicious files is an inexact science to start with; of course encryption does make it harder," he said. "WhatsApp say they will fix this by screening files for malicious content before they get encrypted and sent across; that seems sensible but imperfect."

Nevertheless, the fact malicious files hidden the way Check Point's researchers slipped them in was indeed a security design error, he said. "File previews could be just that, but it looks like they have used general web browser functionality for those, and thus allow code from inside a malicious file to actually attack the Whatsapp user's account," he added.

Boiten said it was similar to previous coverage of WhatsApp flaws, notably mention of the app in a tranche of CIA files leaked by Wikileaks. "The Wikileaks leak on CIA tools earlier had a completely gratuitous mention of WhatsApp: of course if you can control the device on which the encryption takes place, encryption itself has become pointless as you can grab the data before encryption takes place," he said. "That is not a flaw or even a 'circumvention' of the encrypted communication."

Advertisement - Article continues below

That doesn't mean the messaging service is perfectly secure, he noted. "Despite stories attacking WhatsApp for the wrong reasons, of course some caution regarding WhatsApp remains sensible," he said. "They may be encrypting the contents of communications, but the metadata of who messages whom (and when, and from where) is still visible to them. Such metadata is likely to be more useful than the content anyway, for their owners Facebook and other surveillance outfits."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/network-internet/web-browser/354614/microsoft-developer-declares-its-time-to-ditch-ie-for-edge
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020