Booby-Trapped Photo Flaw Left WhatsApp, Telegram Accounts Vulnerable

Booby-Trapped Photo Flaw Left WhatsApp, Telegram Accounts Vulnerable
bykst / Pixabay

A cyber-security research firm warns that WhatsApp and Telegram users may have unknowingly let hackers into their accounts—simply by looking at a photo that contained malicious lines of code. To gain full access to your account, all a hacker had to do was send a photo that basically worked like the Trojan Horse, convincing the recipient that it was innocent enough to let in so that its senders could infiltrate the account.

Same vulnerability in WhatsApp and Telegram

Check Point Security researchers discovered the vulnerability in both Facebook-owned WhatsApp and Telegram, two of the most widely-used messaging apps in the world. Both apps have fixed the loophole, which was related to the end-to-end encryption every tech firm claims is supposed to keep hackers from snooping and enable only the sender and recipient to read messages sent through their platforms.

“Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web,” Check Point explained in a post on its website. “The online version of these platforms mirror all messages sent and received and are fully synced with the users’ device.”

Gates Capital Returns 32.7% Tries To Do “Fewer Things Better”

Gates Capital Management's Excess Cash Flow (ECF) Value Funds have returned 14.5% net over the past 25 years, and in 2021, the fund manager continued to outperform. Due to an "absence of large mistakes" during the year, coupled with an "attractive environment for corporate events," the group's flagship ECF Value Fund, L.P returned 32.7% last Read More

Both apps were encrypting messages without validating themselves, which meant that neither of them were even able to keep hackers from sending malicious content through their platforms.

How hackers could have exploited the vulnerability

Hackers who discovered the vulnerability would simply have to send an “innocent looking file” containing malicious code to the prospective victim. Because it looks innocent and, presumably, the hacker included content that looks attractive to the recipient, they are more likely to open it. After clicking on it, the malicious code the hacker has inserted into it grants the hacker full access to the local storage in the user’s WhatsApp and Telegram accounts. This is the place user data is stored, and once they’re in, the hacker has access to everything in the account, including the owner’s contact list.

From there, it would be easier for the attacker to get into the accounts belonging to all that person’s contacts by sending them an innocent-looking file with malicious code in it. After all, even those who are usually cautious of images sent to them by someone they don’t know, no matter how innocent they look, are more likely to look at images sent to them by someone they do know.

Recommendations to secure your WhatsApp account

Check Point also offered some general security tips for messaging app users, even though both of these two companies have fixed this vulnerability. One is to regularly clean out the computers that are logged into your WhatsApp and Telegram accounts. This gives you control over which devices are hosting your account and shut down activities you don’t want.

The other tip is just to not open any files or click on links sent from people you don’t know, no matter how innocent they might look.

Updated on

Michelle Jones is editor-in-chief for and has been with the site since 2012. Previously, she was a television news producer for eight years. She produced the morning news programs for the NBC affiliates in Evansville, Indiana and Huntsville, Alabama and spent a short time at the CBS affiliate in Huntsville. She has experience as a writer and public relations expert for a wide variety of businesses. Email her at [email protected]
Previous article Global Real Estate Valuation Froth? Some (Worrying) Napkin Math
Next article Aswath Damodaran – Session 6: Equity Risk Premiums

No posts to display