Anyone using WhatsApp through their desktop browser could have had their messages silently snooped on and their accounts completely hijacked in the last two years, security researchers warned Wednesday.
Security firm Check Point has found a bug in the web versions of WhatsApp and Telegram, which could be exploited to access chats and media. The two messaging apps fixed the vulnerability following its disclosure on 8 March. Security firm Check Point has found a bug in the web versions of WhatsApp and Telegram, which could be exploited to access chats and media.
The flaw is believed to have been inhabitation in WhatsApp Web since its launch in January 2015.
“The exploitation of this vulnerability starts with the attacker sending an innocent-looking file to the victim, which contains malicious code,” said Check Point.
The Security firm revealed a new technique that the company says could bypass WhatsApp’s end-to-end encryption, by hiding HTML code in a seemingly innocuous image. If a victim clicks on it while using the web version of the app, the code runs in the victim’s browser, gaining full access not only to the target’s messages, but to any shared photos and videos, as well as their contact list.
A full breakdown of the vulnerability is available here.
WhatsApp Web Account Takeover
Check Point also revealed a similar attack on the web version of Telegram ,that the researchers say can hide malicious code in a video that a user opens in a new tab.
Telegram Web Account Takeover
Luckily for users, we don’t have to update any apps to protect ourselves from the attack. The issues were fixable on WhatsApp and Telegram servers, meaning we just have to do a browser restart to solve the problem. The bugs only affect those using the web browser services, not the mobile or desktop apps.
After all has been said and done, we should use this news as a reminder that no software is completely hacker-proof.