A recently disclosed vulnerability by Check Point proved that both WhatsApp and Telegram were susceptible to particularly nefarious online attacks. While most attacks only garner tidbits of user data, these allowed attackers to gain full control of user accounts. Once in, attackers could download previously shared photos, contact information, and even more importantly gain access to a user’s friends accounts as well. Both companies acknowledged and released fixes to help patch the web client vulnerabilities.
Last week reports came in from Wikileaks noting that the CIA has an active team working on iOS malware and vulnerabilities. Much of the news focused on social media and well-known messaging clients that were already compromised and being spied on by the CIA. After the initial shock subsided, it was made clear that poor wording on Wikileaks’ part did not mean that the clients were truly compromised. While this helped subside some of the fear, Check Point’s disclosure today show us that web clients are still not safe.
In a newly released disclosure, Check Point explains how they were able to craft a maliciously innocuous file into completely taking over WhatsApp and Telegram user accounts. By faking a MIME type, and crafting an HTML file to give an image preview, attackers could convince users to click on their shared content and allow the accounts to be completely taken over.
Demo videos shared by Check Point showcase just how quickly and seamlessly the attacks happen. As soon as the victim clicks on the file and loads the data, the attacker is inside the account and can begin grabbing data to their liking.
Once the account is taken over, WhatsApp users would be near instantly notified that WhatsApp is open on another computer or browser. Telegram users wouldn’t even be notified because Telegram allows multiple browser sessions to be open at the same time. For the full technical breakdown, Check Point has all the information over on their site.
This vulnerability may be fixed by WhatsApp and Telegram, but it doesn’t mean that new ones won’t eventually creep up. To protect yourself against vulnerabilities like this, be sure to never click on any shared content from unknown senders.