WhatsApp image could be hacker’s key to your account details

WhatsApp, one of the most used and famed app for messaging has now been disclosed to be at risk when operated through an internet browser.

An Israeli security firm Check point has discovered the two apps, WhatsApp and Telegram prone to vulnerabilities although they are secured with end-to-end encryption. In the provided details, a hacker could bypass the app’s end-to-end encryption and could take over the account of an individual by sending a single image.

The image’s HTML code is hidden and when the recipient open that image, he/she is actually downloading the malware which gives the key to access that account with all the information including private messages, photos, videos and the contacts. However, the web version of the Telegram is also liable to similar attack but according to researchers, it can hide malicious code in a video that a user opens in a new tab.

While both the companies have made changes and fixed the vulnerabilities which were reported on 8th march. However, it has left several users open to crypto-circumventing spies. According to security researchers when it comes to privacy, smartphones are more secure as attacks point to inherent vulnerabilities in the web versions of any secure messenger.

“Unfortunately, this does highlight a weakness specific to web applications,” says Nadim Kobeissi, the founder of the applied cryptography consultancy Symbolic Software. In fact, before Kobeissi has acclaimed the ease in using the web based crypto apps. But after the check point’s revelations, he also admits the fact that the web apps are prone to the vulnerabilities which a mobile app is not.

“It’s kind of heartbreaking to have to say this, but if you’re someone in a precarious situation and you care about your security, I’d recommend you use WhatsApp on an iPhone,” he says.

A security researcher at Check point Oded Vanunu says, “Every web application, whether it’s Facebook or a bank application, has to make sure that anything you enter as an input or that you upload is the kind of file type they’re permitting.”

However, check point’s attack was showing that the ‘input validation’ process is flawed, which makes sure that image or video is a type of file which it seems to be, instead of a malware that would transfer the commands to the attacker.

“Once you manage to bypass that validation, it’s game over. The browser will run whatever you give it.” Says Oded.

Kobeissi says that web pages are more prone to vulnerabilities in these attacks. According to him the web browser as compared to typical operating systems have less distinct and isolated components which render different types of data like an image, video, or executable commands. The chance to get new data is possible in web apps as the web-based language JavaScript allows so-called ‘just-in-time’ gathering of new code which makes the app to dysfunction. Whereas, in mobile or desktop apps compilation is necessary before installation.

“That’s why these vulnerabilities work, and why they highlight a particular weakness in web apps,” Kobeissi says.

However, that doesn’t mean the attack discovered by Check point occurs often. The Check point’s Vanunu and Kobeissi both said that the WhatsApp related vulnerability, exposed by the organization happens very rare and is a uniquely serious flaw. “It’s not a new class of attack,” Kobeissi said. “But this is an impressive and clever one.”

Whereas, the Check point have mentioned some ways to prevent being a victim of such attacks. They advise you to regularly clean logged-in PCs and avoid opening suspicious files and links.

Leave a Comment