A cyber-security research firm warns that WhatsApp and Telegram users may have unknowingly let hackers into their accounts—simply by looking at a photo that contained malicious lines of code. To gain full access to your account, all a hacker had to do was send a photo that basically worked like the Trojan Horse, convincing the recipient that it was innocent enough to let in so that its senders could infiltrate the account.
Same vulnerability in WhatsApp and Telegram
Check Point Security researchers discovered the vulnerability in both Facebook-owned WhatsApp and Telegram, two of the most widely-used messaging apps in the world. Both apps have fixed the loophole, which was related to the end-to-end encryption every tech firm claims is supposed to keep hackers from snooping and enable only the sender and recipient to read messages sent through their platforms.
“Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web,” Check Point explained in a post on its website. “The online version of these platforms mirror all messages sent and received and are fully synced with the users’ device.”
Both apps were encrypting messages without validating themselves, which meant that neither of them were even able to keep hackers from sending malicious content through their platforms.
How hackers could have exploited the vulnerability
Hackers who discovered the vulnerability would simply have to send an “innocent looking file” containing malicious code to the prospective victim. Because it looks innocent and, presumably, the hacker included content that looks attractive to the recipient, they are more likely to open it. After clicking on it, the malicious code the hacker has inserted into it grants the hacker full access to the local storage in the user’s WhatsApp and Telegram accounts. This is the place user data is stored, and once they’re in, the hacker has access to everything in the account, including the owner’s contact list.
From there, it would be easier for the attacker to get into the accounts belonging to all that person’s contacts by sending them an innocent-looking file with malicious code in it. After all, even those who are usually cautious of images sent to them by someone they don’t know, no matter how innocent they look, are more likely to look at images sent to them by someone they do know.
Recommendations to secure your WhatsApp account
Check Point also offered some general security tips for messaging app users, even though both of these two companies have fixed this vulnerability. One is to regularly clean out the computers that are logged into your WhatsApp and Telegram accounts. This gives you control over which devices are hosting your account and shut down activities you don’t want.
The other tip is just to not open any files or click on links sent from people you don’t know, no matter how innocent they might look.