The messaging app’s vulnerabilities had been exposing users to having their accounts hijacked.
Encrypted messaging service Telegram and WhatsApp security has now improved as patches correct detected vulnerabilities. The problems were leaving users open to having their accounts taken over, including providing access to photos and videos, personal and group conversations, and other types of files.
The vulnerabilities were recently identified and revealed b here different Check Point Software Technologies researchers.
The researchers were: Roman Zaikin, Eran Vaknin and Dikla Barda. They stated that the flaw in the Telegram and WhatsApp security had to do with the way their web versions parsed attachments. According to those researchers, the vulnerability could be exploited in both Telegram and WhatsApp if an attacker sent a user a file containing malicious code. As soon as the user opens the file, it grants the attacker with access to the user’s local storage from the mobile app.
The researchers found that they were able to get through the existing Telegram and WhatsApp security.
They accomplished this by sending what looked like an image preview but that turned out to be a malicious HTML document. Once a user is tricked with a fake file, that user is directed to a BLOB URL with the file’s content. The BLOB URL is created by FileReader HTML 5, which is one of WhatsApp’s APIs. The FileReader object is stored at web.whatsapp.com, which could open up the user’s account to access by an attacker.
While the creators of WhatsApp did try to prevent that type of issue by adding a warning prompt that advises a user that the service is being accessed in two locations (allowing the user to close the other location and keep only the current one open), attackers can use a second piece of malicious JavaScript code in order to skip around the prompt.
The Telegram attack strategy was quite similar to the one used to bypass WhatsApp’s security. In both cases, even an active user would not be aware that their account was being accessed by an attacker. Since that recent discovery, Telegram and WhatsApp security patches have been rolled out to protect users from those vulnerabilities.
