WhatsApp flaw let hackers hijack accounts with image trick

WhatsApp flaw let hackers hijack accounts with image trick

Cyber criminals could hijack users’ WhatsApp and Telegram accounts by sending specially-crafted malicious images, according to security experts.

Researchers from Check Point found that a flaw in the way the messaging apps’ web versions process images that could allow attackers to trick victims into clicking links.

By sending what appears to be an innocuous photo, cyber criminals could fool users into opening HTML pages containing malware and hijack their accounts.

“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” wrote Check Point’s researchers in a blog post explaining the attack.

“This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”

For the attack to work in WhatsApp, a user just had to open the malicious image, while in Telegram they had to open a video in a separate Chrome tab.

“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” the researchers said.

The security firm reported the flaw to the teams behind the apps on March 7th and they have since changed their file validation processes.

“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Check Point’s Oded Vanunu, adding that users should ensure they are using the most recent versions of the messaging services’ web apps.


Photograph copyright welcomia under licence from Thinkstockphotos.co.uk

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles