WhatsApp flaw let hackers hijack accounts with image trick

WhatsApp flaw let hackers hijack accounts with image trick

Cyber criminals could hijack users’ WhatsApp and Telegram accounts by sending specially-crafted malicious images, according to security experts.

Researchers from Check Point found that a flaw in the way the messaging apps’ web versions process images that could allow attackers to trick victims into clicking links.

By sending what appears to be an innocuous photo, cyber criminals could fool users into opening HTML pages containing malware and hijack their accounts.

“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” wrote Check Point’s researchers in a blog post explaining the attack.

“This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”

For the attack to work in WhatsApp, a user just had to open the malicious image, while in Telegram they had to open a video in a separate Chrome tab.

“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” the researchers said.

The security firm reported the flaw to the teams behind the apps on March 7th and they have since changed their file validation processes.

“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Check Point’s Oded Vanunu, adding that users should ensure they are using the most recent versions of the messaging services’ web apps.

Photograph copyright welcomia under licence from Thinkstockphotos.co.uk

Copyright Lyonsdown Limited 2021

Top Articles

Can you trust Zero Trust?

Enterprises seeking a singular authentication model are increasingly taking a Zero Trust approach to ensuring proper identity authentication.

Usability and email security

When employees understand how their behaviour impacts email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.

The pen testing guide you never thought you needed, until now…

Security testing should be at the centre of any cyber strategy,

Related Articles