News / WhatsApp flaw let hackers hijack accounts with image trick
WhatsApp flaw let hackers hijack accounts with image trick
16 March 2017 |
Researchers from Check Point found that a flaw in the way the messaging apps’ web versions process images that could allow attackers to trick victims into clicking links.
By sending what appears to be an innocuous photo, cyber criminals could fool users into opening HTML pages containing malware and hijack their accounts.
“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” wrote Check Point’s researchers in a blog post explaining the attack.
“This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”
For the attack to work in WhatsApp, a user just had to open the malicious image, while in Telegram they had to open a video in a separate Chrome tab.
“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” the researchers said.
The security firm reported the flaw to the teams behind the apps on March 7th and they have since changed their file validation processes.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Check Point’s Oded Vanunu, adding that users should ensure they are using the most recent versions of the messaging services’ web apps.
Photograph copyright welcomia under licence from Thinkstockphotos.co.uk
Latest posts by Matt Smith (see all)
- 60 per cent of firms use advanced technology without proper security - 20th March 2017
- WhatsApp flaw let hackers hijack accounts with image trick - 16th March 2017
- 70 per cent of firms struggle to secure data outside the office - 16th March 2017
- Insecure code putting business data at risk - 14th March 2017
- Internet of Things ransomware on the rise - 14th March 2017