A vulnerability patched in the web-based versions of encrypted communications services WhatsApp and Telegram would have allowed attackers to take over accounts by sending users malicious files masquerading as images or videos.
The vulnerability was discovered last week by researchers from Check Point Software Technologies and was patched by the WhatsApp and Telegram developers after the company privately shared the flaw’s details with them.
The web-based versions of WhatsApp and Telegram synchronize automatically with the apps installed on users’ phones. At least in the case of WhatsApp, once paired using a QR code, the phone needs to have an active internet connection for WhatsApp messages to be relayed to the browser on the computer.
Both web-based apps allow users to upload certain types of files like images and videos and have mechanisms checks in place to ensure that only those file types are used. However, the Check Point researchers have found a way to bypass those verifications and upload HTML files instead. Furthermore, they could make those files mimic images and videos, making them less suspicious and more attractive for users to open.
Since any HTML code executed in the context of those web apps would inherit their permissions inside the browser, attackers could have used use this technique to steal the local storage contents of those apps and upload them to a remote server. If placed in the attackers browsers, the contents could allow them to authenticate as the targeted users.
This means attackers could have gained access to the victims’ message histories and shared files and could even have sent messages on their behalf, potentially compromising their contacts in a worm-like attack.
Check Point reported the vulnerability to both companies on March 8. Since the code of the web apps is loaded directly from the WhatsApp and Telegram servers, users don’t need to do anything to get the patch. The companies have fixed the issues server-side.