The recent discovery of vulnerabilities in the security of WhatsApp and Telegram by cybersecurity researchers revived the fears instilled in internet users following the “Vault 7” WikiLeaks publications.
The transparency and whistleblowing organization brought to light the possibility of the US Central Intelligence Agency having tools that can compromise WhatsApp, Telegram, and other messaging applications that utilize end-to-end (E2E) encryption.
According to a report documented by Check Point’s cybersecurity researchers, crucial vulnerabilities were discovered in the E2E encryption mechanism of WhatsApp and Telegram’s web online services.
The online versions of the two services are synced with the users’ device and reflect all the messages received and sent by the users.
If a hacker exploits these vulnerabilities, they would be able to take full control of a user’s account on any browser.
This would mean complete access to the victim’s conversations (person and group), shared files (photos and videos), as well as contact lists.
As one would imagine, exploiting these vulnerabilities could give rise to several adverse scenarios.
With these vulnerabilities, an attacker could leak the victim’s photos or videos online, ask for ransom, send messages to people on the victim’s contact list, or even take control of secondary accounts.
A hacker could exploit the vulnerabilities by sending phishing-like bait files that contains malicious code.
It is highly likely that they would modify the files and embed attractive content to trick the victims into opening them.
For WhatsApp vulnerabilities, the file upload mechanism supports document types including PDFs, Office Documents, audio files, image files and video files.
The internet security researchers at Check Point were able to circumvent the restrictions in this upload mechanism.
They achieved this by attaching an HTML document containing malicious code to an authentic preview of an image.
This was done to trick the victim into clicking on the document, after which the target account was taken over.
Once the document is clicked, a unique BLOB URL is generated by the WhatsApp web client using the FileReader HTML 5 API call.
The user is consequently directed to this URL.
At this point, the victim does not need to click on anything; their local storage becomes accessible to the hacker through the exploited vulnerabilities.
They can then easily take complete control of the account.
By employing a JavaScript function, the attacker can periodically check for new data on the victim’s end and replace his or her storage with the target’s storage.
Since it is not possible to have two active sessions in WhatsApp, the victim will receive a message stating that WhatsApp is open on another computer or browser – a minor offset to the threat of the vulnerabilities, all things considered.
For Telegram vulnerabilities, only video and image files are stored within the browser in the Filesystem section.
The research team at Check Point was able to bypass the upload policy stipulated by Telegram and managed to upload a malicious HTML document.
The contaminated document contained a mime type of video file.
The researchers then managed to send it to the target account through Telegram servers in an encrypted channel.
If the victim clicks on the video, it starts playing at which point the HTML file is uploaded to the browser’s memory.
For the technique to be successful, the victim has to open the video file in a new tab.
If this happens, the current session data is made accessible to the hacker.
The local storage of the target client is sent to the hacker, enabling them to take control of the account.
As with the WhatsApp vulnerabilities, a hacker can develop a JavaScript function that enables them to periodically check for new data from the victim end and replace their local storage with that of the victim.
Telegram allows its users to have as many simultaneous active sessions as they prefer.
As such, the victims will not be aware that their accounts have been compromised.
It is very important to note that Check Point informed Facebook-owned WhatsApp and Telegram about these vulnerabilities on March 7th, 2017.
The cybersecurity firm did not make the vulnerabilities publically known until the two companies had developed fixes for the vulnerabilities.
According to Oded Vanunu, Head of Product Vulnerability at Check Point, the vulnerabilities placed hundreds of millions of WhatsApp web and Telegram iStock users at significant risk of having their accounts breached.
WhatsApp and Telegram investigated the vulnerabilities, verified and acknowledged them.
Fortunately, the messaging application users can rest easy knowing that the exploits have been patched successfully.