WhatsApp and Telegram close web client leak that gave hackers access to messages
WhatsApp and Telegram have patched a leak in their web versions that allowed attackers to take over user accounts. The company Check Point discovered the leak and informed the makers of the chat services last week.
Check Point describes that exploiting the vulnerability was possible by sending a malicious HTML file containing an image preview to a victim. This allowed access to personal and group conversations, shared files and contacts, among other things.
In the case of WhatsApp, the researchers were able to circumvent the file type restrictions in the web version by exploiting the fact that files are sent encrypted to WhatsApp’s servers. That way, they could upload a malicious HTML file, which had an attractive preview that a user would click on. If a user did click on the file, his local storage was sent to the attackers. This allows the attacker to take over the victim’s account, according to Check Point.
In that case, the victim would see a message that the user is logged in at a different location, but this can be circumvented by using a few lines of code to cause the victim’s browser window to crash.
In the case of Telegram, the researchers were also able to circumvent the file upload restrictions. For example, they were also able to upload a malicious HTML file that gives the impression of containing a video. The difference with the WhatsApp method is that a victim has to open the video in a new tab, which requires an additional step for a successful attack. Also, Telegram does not show a warning, because it allows multiple sessions. The further course of the method corresponds to that of WhatsApp.
Forbes writes that the leaks existed since the release of the WhatsApp software in January 2015. The company claims that no use has been made of the vulnerability since then. The researchers say they have not investigated whether Signal’s web version is also vulnerable to this method. The companies resolved the vulnerability by validating file types before uploading. it is not the first time that the web version of WhatsApp has proved vulnerable. In 2015, it turned out that it was possible to spread malware via vcards.