Security researchers disclose vulnerability that allowed hijacking of millions of Whatsapp and Telegram accounts

Posted 15 March 2017 18:27 CEST by Jan Willem Aldershoff

Chat services Whatsapp and Telegram both had a leak in their web client that allowed attackers to hijack accounts, security researchers from Checkpoint revealed today. The issue was reported on the 7th of March to both chat services and quickly fixed.  There are no indications that the leak has been abused.

Hijacking accounts was possible by sending a malicious file such as an image to an user of the chat apps. When an user clicked on the image in the web client of Whatsapp or Telegram, the malicious code was silently executed.

By abusing the leak an attacker could get full access to the chat history, contacts, profile and shared photos on Whatsapp and Telegram. The malcious image could also be forwarded to all contacts of the victim to make more victims.

The vulnerability partly existed due to the strong encryption used by both chat services. Because the apps use end-to-end encryption, they can’t check the contents of the image. Whatsapp uses end-to-end encryption by default, on what Telegram a ‘secret chat’ has to be started to use end-to-end encryption. settings

Several settings at can be changed, they are stored in cookies, which means they will be reset if you clear cookies


Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here


Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page