Encrypted messaging services WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user’s account, access personal and group conversations, along with photos, videos and other files.
A trio of researchers with Check Point Software Technologies, Eran Vaknin, Roman Zaikin and Dikla Barda, disclosed the vulnerability on Wednesday. The flaw, they said, stemmed from the way the web versions of WhatsApp and Telegram parsed attachments.
Researchers said an attacker could have exploited the vulnerability in both services by sending a user a file laced with malicious code. Once opened, the file could grant an attacker access to the victim’s local storage and from there, personal chats and photos.
Researchers with the firm were able to bypass WhatsApp’s file upload mechanism by sending a malicious HTML document disguised as an image preview.
According to the researchers, after an attacker has tricked a user into clicking through the phony image, the victim would be brought to a unique BLOB URL with the file content. FileReader HTML 5, an API call that WhatsApp uses, generates the BLOB URL. The FileReader object is located at web.whatsapp.com, something that could ultimately hand the attacker access to that user’s account. Because WhatsApp thinks the same user is signed in at two locations, they’ll be prompted by the service to either log out or stay logged in but researchers say attackers can get around this prompt with another bit of malicious JavaScript code.
The researchers said they were able to add a MIME type, a mechanism that tells the client what kind of document is being transmitted, to bypass the web client’s restriction. In this case the attackers added “text/html” and were able to upload an additional malicious HTML document.
“Just by viewing the page, without clicking on anything, the victim’s Local storage data will be sent to the attacker, allowing him to take over his account,” Vaknin, Zaikin, and Barda write, “The attacker creates a JavaScript function that will check every 2 seconds if there is new data in the backend, and replace his local storage to the victim.”
The attack on Telegram was strikingly similar. Researchers were able to bypass the web app’s upload policy to upload a malicious HTML document, this time with a MIME type that looked like a “video/mp4” instead of an image. As soon as a victim opened the video, it again was possible for an attacker to modify the MIME type and bypass client restriction. While the attackers uploaded an additional malicious HTML document to Telegram, the victim was taken to the video, which opened in a new tab – while their session data was sent to the attacker.
Telegram, unlike WhatsApp, allows users to keep multiple active sessions at once, so a user wouldn’t be aware if their account had been hijacked.
Telegram contended Check Point’s claims in a blog post Wednesday afternoon and stressed the attack would require “very special conditions and very unusual actions from the targeted user to succeed.” The messaging service said that a user would have had to have clicked through to the video and opened it in a new tab in order for their account to have been compromised. The attack also only worked in Chrome, Telegram said.
Check Point amended its blog post on Thursday to clarify that a victim would have had to have opened the video in a new tab in order for their local storage data to be sent to an attacker.
It’s unclear exactly when WhatsApp and Telegram rolled out fixes for the vulnerabilities, but based on the companies’ interactions with Check Point researchers it must have been at some point in the last six days. Researchers said they disclosed the vulnerabilities to WhatsApp and Telegram on March 7. Both companies “verified and acknowledged the security issue and developed a fix for web clients worldwide soon after.”
While WhatsApp and Telegram’s web versions can only be accessed via a browser, the services contain the same content as the services on a user’s device, including personal messages, photos, and files.
News of the vulnerabilities follow of a tense couple of weeks of scrutiny around the security of encryption apps.
A slew of misleading articles surfaced last week, following Wikileaks’ massive Vault 7 dump, claiming the CIA could bypass encrypted messaging apps such as Signal, Telegram, WhatsApp, and Confide. The treasure trove of hacks stemmed largely from exploiting vulnerabilities on devices – cellphones, even TVs – themselves, not the actual encryption apps. Open Whisper Systems, the Moxie Marlinspike-founded software organization that developed the Signal protocol, was quick to dispel any contrasting rumors last Tuesday.
“The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption,” the company said on Twitter, “The story isn’t about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we’re doing is working.”
In mid-January WhatsApp had to fire back at the news outlet The Guardian to contend claims made by the paper the app had a backdoor that could be used for third-party spying. Later that same week a list of respected cryptographers, including Bruce Schneier and Matthew Green, called the publication’s stance “reckless” and “uncontextualized,” and urged the The Guardian to retract the story. The Guardian didn’t apologize, nor did it issue a retraction, but did change how it used the word “backdoor” in its story.
This article was updated on Thursday, March 16 to include information from Check Point’s updated blog post and comments from Telegram Messenger LLP.