Weaknesses in WhatsApp’s web client could have been hacked to steal hundreds of millions of user accounts, security researchers claim. (Photo by Carl Court/Getty Images)
Anyone using WhatsApp through their desktop browser could have had their messages silently snooped on and their accounts completely hijacked in the last two years, security researchers warned Wednesday. That’s because of a flaw, believed to have been resident in WhatsApp Web since its launch in January 2015, that was exploitable by having a user simply click on a picture, the researchers claimed.
WhatsApp fixed the vulnerability in less than 24 hours, on Thursday March 8, after hackers at Check Point warned the Facebook-owned firm that attacks were able to undo the end-to-end encryption protecting message content across millions, possibly hundreds of millions, of accounts. A similar issue affected the Telegram messenger app, though it required another step for the hack to work. Telegram patched on Monday.
Fortunately for users, they don’t have to update any apps to protect themselves from attack. The issues were fixable on WhatsApp and Telegram servers, meaning just a browser restart should solve the problem. The bugs only affect those using the web browser services, not the mobile or desktop apps.
A ‘big bug’
But the bugs had the potential to be catastrophic. Check Point’s head of research Oded Vanunu, who reported the issues to both companies last week, found the vulnerability allowed an attacker to create malicious code, hide it within an image or video, and send it to a WhatsApp or Telegram user.
Crucially, WhatsApp and Telegram would run the malicious code before the message content was encrypted and sent to a target. The attack code, hidden inside an innocuous-looking image, wouldn’t be validated by WhatsApp or Telegram before being encrypted and couldn’t be done afterwards. “So the encryption here was working for us,” said Vanunu.
Once parsed by the WhatsApp client, the code would execute evil HTML in the user’s browser. “Once this HTML inject was uploaded and was encrypted and delivered to the other side [the WhatsApp server], the other side was rendering this HTML, innocent-looking image and executed the code that was stealing the local storage of the user,” Vanunu told Forbes.
Once the malicious code was running, an attacker could access victims’ local storage data, including private and group conversations, photos, videos and contact lists, Vanunu said. And, as the local storage from the browser contains WhatsApp session tokens that grant access to whoever owns them, the accounts could be completely compromised by an attacker. Check Point warned an attacker could also give their hack worm-like features, forwarding the malicious photo to all victim contacts for mass compromise.
“It’s a big vulnerability in a big service,” Vanunu added.
Fixing the problem
According to Vanunu, WhatsApp fixed the vulnerability by forcing validation of content before encryption, so that malicious files can be blocked.
A WhatsApp spokesperson said: “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.” It’s unclear how many individuals were affected. The company declined to say what proportion of its 1.3 billion users ran WhatsApp in the browser.
Telegram claimed its problems were much less severe that WhatsApp’s. Markus Ra, Telegram’s head of support and public relations, said a second step was required to exploit its users: a target would have to right click on the image content and choose to open it in a new window or tab for the malicious code to run. Check Point confirmed this was accurate, though they disputed a Telegram claim that the hack only worked on Google’s Chrome browser.
“The WhatsApp case was more severe by several degrees of magnitude, since it didn’t require any actions from the target user except for opening a received attachment,” added Ra. “So an attacker could take over an account if the target simply opened a funny cat picture and did nothing else.”
WhatsApp had no record of any abuse of the vulnerability. Vanunu noted that while there is no evidence WhatsApp or Telegram were exploited in the two years by such techniques, it was apparent from Wikileaks’ CIA release last week that there was a “big effort by governments to get such capabilities on these platforms.”
This isn’t the first time massively popular technology has been undone with a single message. The infamous Stagefright bug affecting Google’s Android operating system was exploited by researchers with just one text. Another researcher uncovered an issue in Apple’s iOS in July 2016 that could have been abused to steal data from iPhones with just one multimedia message (MMS).
Check Point said it had not tested attacks against Signal, the encrypted communications app. The cryptography that powers Signal is deployed across WhatsApp, and the former remains the de facto king of private calls and texts. It’s been recommended by congressmen, cryptographers, and the best-known leaker on the planet, Edward Snowden.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.