Fixed WhatsApp vulnerability put hundreds of millions of users at risk

A Telegram and WhatsApp vulnerability putting millions at risk has been thwarted by Check Point technologies / Blue Coat Photos, Flickr CC BY-SA 2.0

Hackers exploiting the weakness could send innocent images with malicious code, which, once clicked upon, allowed complete account access.

by Stephen Sinclair

March 15, 2017 at 8:59 AM

Video of the Day: Blasting News

Check Point Software Technologies Ltd. (Nasdaq: CHKP) has unveiled new research into a vulnerability potentially affecting hundreds of millions of users of the WhatsApp and Telegram messaging services. Hackers are said to be able to mount attacks by sending unsuspecting users "innocent" images, which contain "malicious code."

Once a user clicked on an image, hackers were reported to be able to gain complete account control, including the "message history, all photos that were ever shared," and the ability to "send messages on behalf of the user."

The apparent first to discover the WhatsApp vulnerability, Check Point made both WhatsApp's and Telegram's development teams aware of it on March 8.

Oded Vanunu with Check Point stated that both messaging services acted "quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients."

Users need only close and reopen their browsers to ensure they are using the latest version, and protected from the vulnerability.

Tight 'end-to-end encryption' leaves services blind to hack

Perhaps ironically, it is the tight "end-to-end encryption" offered by both WhatsApp and Telegram that is said to be behind the vulnerability. As both services were blind to the content of messages being sent between users, hackers were able to insert malicious executable code, without the development teams being aware of it.

The fix is said to involve "validating" message contents, before it is encrypted, and then sent over the internet.

The web versions of both services are said to "mirror" all messages received and sent via the smartphone app.

WhatsApp, which is owned by Facebook, Inc. (Nasdaq: FB), is the "most prevalent instant messaging service" used in the world today. In addition to apps compatible with iOS, Android, Windows Phone 8.x, Nokia smartphones, and BlackBerry devices, the WhatsApp web platform is accessible from all major web browsers.

Telegram is said to have over 100 million "monthly users," and handle over 15 billion individual messages each day.

Periodically clear logged-in computer sessions

Check Point Software Technologies is the largst "network cyber security vendor globally," and works providing protection to over 100,000 businesses and other organizations.

Check Point has recommended that users "periodically clean logged-in computers from WhatsApp and Telegram," giving control of who is accessing an account. The Tel Aviv, Israel-based firm also recommends that WhatsApp and Telegram users avoid clicking on "suspicious files and links" from unknown people initiating contact.

Content sponsored by Outbrain