Researchers from Check Point found that a flaw in the way the messaging apps’ web versions process images that could allow attackers to trick victims into clicking links.
By sending what appears to be an innocuous photo, cyber criminals could fool users into opening HTML pages containing malware and hijack their accounts.
“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” wrote Check Point’s researchers in a blog post explaining the attack.
“This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”
For the attack to work in WhatsApp, a user just had to open the malicious image, while in Telegram they had to open a video in a separate Chrome tab.
“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” the researchers said.
The security firm reported the flaw to the teams behind the apps on March 7th and they have since changed their file validation processes.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Check Point’s Oded Vanunu, adding that users should ensure they are using the most recent versions of the messaging services’ web apps.
Photograph copyright welcomia under licence from Thinkstockphotos.co.uk