How did flaws in WhatsApp and Telegram enable account takeovers?

Researchers at Check Point Software Technologies found vulnerabilities in encrypted messaging services WhatsApp and Telegram that enable attackers to access users' conversations and files and to take over their accounts. The flaw occurs in the web versions of these apps. What is the issue, and how does the flaw break encryption?

The messaging services WhatsApp and Telegram are popular with users because they provide end-to-end encryption; this means that any messages sent between users are encrypted on the device before the message is sent and can only be decrypted by the recipient. Neither the WhatsApp nor the Telegram servers can read the contents of messages sent between users.

However, this data security and privacy measure creates a situation that hackers could abuse to access users' messages and files, and even to take over their accounts. End-to-end encryption prohibits the scanning of messages for viruses or other malicious code sent via either service.

Researchers at Check Point Software Technologies discovered that the way both WhatsApp and Telegram process images and multimedia attachments on their web-based applications could enable an attacker to send a seemingly innocuous file, which in fact contains malicious code, to a victim.

The WhatsApp web client limits the types of files that can be uploaded by a user and sent as an attachment. However, messages are encrypted before the type of attachment the user is sending has been validated. This means that it is possible to change the file type variable and then encrypt the file in order to bypass the restriction on allowed file types. This could enable an attacker to craft a malicious HTML file with a legitimate image preview designed to trick the recipient into opening it.

This image is actually hiding an HTML5 FileReader object, so if the recipient clicks on it, the WhatsApp web client takes them to the attacker's malicious HTML page. Once loaded, a JavaScript function in the malicious HTML file can send the victim's local storage data to the attacker, enabling him to take over the account and access anything in it.

As a security measure, WhatsApp doesn't allow a client to have more than one active session open at a time, but the attacker can use another JavaScript function to cause the client browser window to hang and to prevent the victim from interfering with the attack.

The Check Point attack against Telegram is similar, but uses a mime type of a video file to bypass Telegram's upload policy to upload a malicious HTML document. Once the victim opens the video in a new browser tab, it starts playing, and the users' session data is sent to the attacker. However, this attack only works if the victim is using the Chrome browser and follows a specific set of unusual steps, although they wouldn't be aware of the attack since Telegram allows users to keep more than one active session open at the same time.

End-to-end encryption is an essential security mechanism, but in this case, it is the cause of a vulnerability. By encrypting a message's content prior to validating it, the client-side file upload checks can be bypassed.

This vulnerability only affects the web platforms of each service, and both WhatsApp and Telegram have issued fixes to protect against the attack by validating content before encrypting it. All that's required from users is a browser restart to ensure they are using the latest version of the app.

As always, WhatsApp and Telegram users should be wary of opening links and files from unknown users. Using two-factor authentication on important accounts and services is another security control that can prevent attacks looking to illegally access accounts.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)