Chat services Whatsapp and Telegram both had a leak in their web client that allowed attackers to hijack accounts, security researchers from Checkpoint revealed today. The issue was reported on the 7th of March to both chat services and quickly fixed. There are no indications that the leak has been abused.
Hijacking accounts was possible by sending a malicious file such as an image to an user of the chat apps. When an user clicked on the image in the web client of Whatsapp or Telegram, the malicious code was silently executed.
By abusing the leak an attacker could get full access to the chat history, contacts, profile and shared photos on Whatsapp and Telegram. The malcious image could also be forwarded to all contacts of the victim to make more victims.
The vulnerability partly existed due to the strong encryption used by both chat services. Because the apps use end-to-end encryption, they can’t check the contents of the image. Whatsapp uses end-to-end encryption by default, on what Telegram a ‘secret chat’ has to be started to use end-to-end encryption.