Bug could leave personal and group conversations, photos, videos, shared files exposed

A security vulnerability in the desktop versions of two popular ultra-secure messaging applications – WhatsApp and Telegram – was recently discovered that gave hackers the ability to completely take over the personal accounts of "hundreds of millions" of users.

That's according to security researchers at Check Point, who disclosed this week (15 March) the hack impacted every type of web browser and exploited both how the desktop counterparts mirror messages sent and received by the user and syncs them between devices.

The bug exposed users' personal and group texts, photos, videos, shared files and contact lists, Check Point experts said in a joint blog post. They claimed the bug meant that attackers could also potentially download photos, send messages on your behalf or take over friends' accounts.

The security firm said it disclosed proof of vulnerability to both WhatsApp and Telegram on 7 March this year. Both companies were reportedly quick to respond, verifying and acknowledging the issue soon after.

To deploy the fix, users now simply need to re-start their browsers. Mobile-only users need not worry, the flaw only hit the web-browser versions of the services.

Both platforms are well-known for offering end-to-end encryption, which helps to fend off unwanted snooping. Check Point, however, said the flaw took advantage of the fact the services' instant encryption meant it was effectively "blind" to the actual content of the messages.

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," the blog post stated. Alongside technical evidence, the firm released videos showing the hack in action:

How it works

"The exploitation of this vulnerability starts with the attacker sending an innocent-looking file to the victim, which contains malicious code," the researchers wrote. This file, the experts told Forbes in an interview, could be as rudimental as a picture of a cat.

They continued: "The file can be modified to contain attractive content to raise the chances a user will open it. Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp's and Telegram's local storage, where user data is stored.

"From that point, the attacker can gain full access to the user's account and account data. The attacker can then send the malicious file to the all victim's contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks."

The patches mean that content is now validated by WhatsApp and Telegram before the encryption kicks in, allowing them to block malicious files. Luckily, the bug is not believed to have been successfully exploited in the wild.

"We build WhatsApp to keep people and their information secure," a spokesperson told IBTimes UK. "When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser."

Oded Vanunu, head of vulnerability research at Check Point, added: "WhatsApp and Telegram responded quickly and responsibly to [defend] against exploitation of this issue in all web clients."

WhatsApp has more than one billion users worldwide and remains one of the most accessible – and effective – services for the general user. Despite this flaw, that fact remains true. Telegram has over 100 million monthly active users, reportedly delivering over 15 billion messages every day.