A web server vulnerability could have let hackers hijack the accounts of Telegram and WhatsApp users, security experts disclosed on Wednesday.
The messaging services are popular for their security features, including end-to-end encryption that protects data sent via their smartphone apps. But that end-to-end encryption may have actually made the web versions of Telegram and WhatsApp more vulnerable, according to researchers from Check Point Security, making it relatively easy for hackers to access personal data.
The loophole, which has since been fixed, involved the file-upload tools on the websites of both services. By uploading a malicious document (and, in WhatsApp's case, disguising it with a legitimate preview image), Check Point researchers were able to bypass security safeguards and gain access to the services' user data.
"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," Check Point researchers wrote in a blog post. No hacks are believed to have used this loophole, although Check Point said the danger was very real.
"This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more," the researchers wrote. "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts."
Related
- Confide Secure Messaging App Patches Critical BugsConfide Secure Messaging App Patches Critical Bugs
Check Point said it disclosed the loophole to WhatsApp's and Telegram's security teams on March 7, and both companies acknowledged the issue and have since developed a fix for their web clients.
That fix is relatively simple: both services now validate files attached to messages before they're encrypted. If you send files or messages via the WhatsApp or Telegram websites, all you need to do is make sure that you restart your browser to make sure they're accessing the latest version of the services' web clients.
Security experts have questioned Telegram's protections before, including in 2015, when unencrypted copies of the messages sent using the app's Secret Chat tool were found on Android devices.
A new Easter egg points to a chip shop in London, for some reason.
They're hoping putting bounties on bugs could help solve their security issues.
Skype is more than just voice and video chat: it contains text chat, too. Unfortunately, it’s incredibly unreliable, and only getting worse. None of my friends use it anymore–everyone’s switched to Telegram, which always works properly. Microsoft has wasted its time by rewriting the Skype client
Relax WhatsApp, Telegram Patch File-Upload Bug stories
Who knew that a single-player card game so widely available could be worth millions of dollars.
Google expects to start letting users browse and install Gmail add-ons from Intuit QuickBooks, PropserWorks, Salesforce, and others later this year.
Uber is now reviewing the technology, which deceives authorities in cities where the ride-hailing service is banned.
The dating app is reportedly catering to the rich and famous with a new, members-only version of the service dubbed Select.
If you live in San Francisco or Los Angeles and work in the entertainment or tech industries, the new option to rent Chevy Volts or Tahoes for 28 days at a time will be perfect, GM says.
After catching wind of the controversy, Tinder used it as an opportunity to make an example out of the man.
Launching the app will be as easy as saying 'YouTube' into the X1 voice remote.
Long before you can afford a staff to help you do more you can afford apps that help freak out less.
Two-step verification is an optional feature, which makes your account more secure.
Vizio secretly collected viewing data from 11 million TVs, according to an FTC complaint.
Want to meet the promises you are making yourself? There are apps for that.
Consider these five tips to create an app in a matter of minutes using a turnkey platform.
Is public Wi-Fi safe? Hell, no. But there are steps you can take.
Let's be honest, that's a surprise to no one.
Wi-Fi, access point, router, 802.11ac. Networking can be a pain! But it doesn't have to be if you know what you're doing. Then it's actually fun! This is where you start.
Finally ready to get off the grid? It's not quite as simple as it should be, but here are a few easy-to-follow steps that will point you in the right direction at the very least.
Your intensions when cracking a Wi-Fi password are no doubt noble—we trust you—so here's how to do it.
Worried about the security of your Wi-Fi connection? Follow these steps and you'll be in a wireless Fort Knox.
Hot Sugar breaks new ground again with 'The Melody of Dust.'
This adhesive tape is not an official Lego product, but it probably should be.
Android users get in-app, turn-by-turn directions for the first time.
Third-party tool Twitter Counter was hacked, allowing the scammers to post on the Twitter timelines of those who had linked their account to the service.
Project Sunroof has checked the viability of 60 million US rooftops.
Every time you speak is another opportunity to make a lasting impression. For good or not so good.
Last week, at the High Court, the Football Association Premier League (FAPL) was granted stronger powers to crack down on the illegal streaming of English footb...
Windows 10 offers a feature in File Explorer through which you can snag your most frequently used folders and recently used files. Let's check out how it works.
We don't know the brand of the headphones, but lithium-ion batteries are to blame for the facial burns.
They include over 100,000 military personnel.