End-to-end encryption exploit left WhatsApp and Telegram vulnerable to hackers
When WikiLeaks' Vault 7 revelations about the spying capabilities and techniques were unleashed, there was concern about a number of popular apps and services that -- the documents suggested -- had been compromised. Included in this list are popular, secure chat apps WhatsApp and Telegram, and Check Point software has just released details of a vulnerability that left millions of user accounts exposed to hackers.
Google was recently criticized for releasing details of a security hole in Windows (and, subsequently another one in Internet Explorer and Microsoft Edge) before Microsoft had patched it. In fact, it was a third party who jumped to the rescue, issuing patches before Microsoft. This time around, however, after notification of the problems from security firm Check Point, WhatsApp and Telegram both patched the security holes within a week.
Check Point says that the problem only affected the web versions of Telegram and WhatsApp, but says that hackers could take advantage of end-to-end encryption to completely take control of a user's account. By simply sending a file containing malicious code, a hacker could gain access to a user's local storage, and then extend this access to the user account and user data. The way WhatsApp and Telegram encrypted messages without validation meant that the companies had no idea, and no way of knowing, that malicious code was being sent.
Check Point explains:
This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more. This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts.
A post on the Check Point blog goes into some detail about how end-to-end encryption could be exploited.
As a result of Check Point reporting the vulnerability, WhatsApp and Telegram both validate messages and check for malicious content before they are encrypted.
Both companies were warned of the issue on 7 March, and the web clients have since been fixed. Check Point says: "Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients."