WhatsApp, despite being the most popular messaging service on both Android and iOS platforms has had its fair share of vulnerabilities. A recent report by CheckPoint Research has revealed yet another plaguing issue in the messaging service, that allows an attacker to take over any WhatsApp account by sharing a malicious image.
The security research at CheckPoint has revealed that this issue is common to Telegram too. This vulnerability in two popular messaging services can be accessed only when both victim and the hacker are using them via desktop browser. For the uninitiated, both Telegram and WhatsApp can be used via a desktop browser, wherein the messaging services relay the information from the mobile app directly to the browser. It’s worth noting that a recent WhatsApp Web vulnerability allowed attackers to hold a user to ransom.
CheckPoint reveals that this vulnerability has been created due to the addition of the recent end-to-end encryption feature. The end-to-end encryption feature, which can now be seen on both the messaging services, allows only the sender and the receiver to see the content of a message. Thus preventing WhatsApp to verify the content of the message before sending it across. This has in turn, has created a loophole that allows a hacker to easily send across a malicious content to any WhatsApp users.
In a video, CheckPoint researchers show how a hacker can send an image file with malicious content to a user and take over the users account. The hacker can simply attach a malicious HTML document and then upload a picture as a preview image. When the user receives the message, they are foxed to believe that they are opening an image file. As soon as they open the HTML file, the attacker gets full access to the user’s WhatsApp account. This enables him to do anything, starting from downloading your WhatsApp gallery photos to sending messages to any random user.
With that said, WhatsApp and Telegram have been quick to acknowledge the vulnerability and have now taken requisite measures to curb down the issue. Nonetheless, this revelation clearly highlights how vulnerable our messaging clients are to these security threats, irrespective of the operating system of our mobile devices.