Check Point offered yet another reason not to click on suspicious files by revealing vulnerabilities in the WhatsApp and Telegram web clients that could let attackers take over user accounts with little more than a dank image macro, some malicious code, and the hope that you'll decide to open the file. (Who can resist clicking on a hot new meme sent to you by a complete stranger?) Both services have already responded to Check Point's disclosure.
The vulnerabilities are notable because WhatsApp and Telegram both pitch themselves as secure communications tools. WhatsApp in particular has been praised for using end-to-end encryption (E2EE) utilizing the well-regarded Signal protocol used by the popular app of the same name. But, much like the revelation that the CIA hacks smartphones to circumvent these protections, Check Point's report shows how dedicated attackers can get at private data.
It's important to note that Check Point's report--again, like the CIA revelations from WikiLeaks' document trove--doesn't mean you should give up on encrypted communications and start texting people via SMS. These apps still make it much harder for someone to compromise your communications, and given that Check Point said both WhatsApp and Telegram have fixed the problems in their latest web clients, even this problem isn't too alarming.
Now that we've covered all that, here's what Check Point said about the vulnerabilities in its report:
The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code. The file can be modified to contain attractive content to raise the chances a user will open it. Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.
Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
The security company said that exploiting these issues "would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more." Some restrictions applied, like WhatsApp's limit of one browser session per account, but crafty attackers could even work around that obstacle to maintain access to user accounts.
That's made even more troublesome by the fact that attackers could then send malicious files to your contacts to take over their accounts, too. Those people would probably be even easier targets--it's much easier to convince someone to open an image sent by someone they know, especially if attackers use what they learn from your message history to make it seem like the message really came from you. Knowledge really is power there.
Check Point offered two pieces of advice to WhatsApp and Telegram users:
- Periodically clean logged-in computers from your WhatsApp & Telegram. This will allow you to control the devices that are hosting your account, and shut down unwanted activity.
- Avoid opening suspicious files and links from unknown users.
In the meantime, it's good to know both companies quickly responded to the problem. Check Point said it made them aware of the issue on March 7. Now, a week later, it seems that neither WhatsApp nor Telegram users are vulnerable to these attacks. That's a pretty good turnaround, and even though Telegram, especially, has other security flaws, it shows that you don't have to give up on encrypted communications tools just yet.