New WhatsApp vulnerability allowed takeover of accounts.
A new WhatsApp vulnerability, found in the browser-based versions of WhatsApp and Telegram, reveal the inherent weaknesses of browser-based secure messaging.
The vulnerability has already been fixed by both services, so no users are currently at risk.
To exploit the vulnerability, an attacker would send the victim an attachment which looked harmless, but was actually malicious code. In an explanation of the attack, Check Point showed how the malicious code could be convincingly disguised as a regular image.
When the victim opened the file, the malicious code would be executed. This code gives the attacker access to the browser’s local memory, where data was stored that granted access to your account – similar to a cookie.
That data would then be automatically copied and sent back to the attacker, who would now be logged into the victim’s account. Once logged in, the attacker has full access to their message history. They could also send the same malicious file to their contacts list and gain access to those accounts (assuming they are also using the “Web” version).
It was also possible to mask the fact that your account had been taken over.
Both services were vulnerable due to how they detected the file types of attachments. They have been updated to run a validation check against attachments before encrypting and sending the file. This should allow them to detect such malicious files and prevent them from being sent.
While both services did have a flaw that enabled the attack, the account takeover was only possible because web browsers can run executable code, which opens up huge possibilities for attackers.
We think this particular vulnerability is rather unimportant. Both Telegram and WhatsApp are primarily used as phone apps, and not in the browser. Both services fixed the problem quickly, and there is no evidence this attack was being actively used.
But there are some important things to learn from this news:
How Should You React?
1.) Stop using Telegram altogether
While only the browser version of Telegram was affected, it is best to stop using all versions, including the app. This recommendation has nothing to do with this new bug. Telegram simply does not stand up to scrutiny from the cryptography community.
Telegram does not use end-to-end encryption by default, which many professional security analysts agree poses a usability problem that leaves users at risk of accidentally communicating without proper protection.
While there has not been any damning evidence of problems, there are doubts about Telegram’s encryption and protocol. Many prominent members of the crypto community recommend avoiding Telegram, including Matthew Green (well respected cryptography professor who discovered flaw in iMessage encryption amongst many other crypto feats) and Kenn White (security researcher who works on professional security audits of popular software).
Instead, use the phone app versions of Signal or WhatsApp. These are considered the best options for secure communication. Signal is the absolute best, as it is primarily designed for security. WhatsApp has a larger userbase and is still *very* secure (it licenses Signal’s encryption protocol which has withstood numerous 3rd party audits) but does favor usability and makes some tradeoffs which give you slightly less security/privacy.
If you are an everyday person concerned with security, choose either based on which you think you will use more (which is probably whichever one more of your friends are using). If you have reason to believe you are under surveillance (perhaps you are a civil rights advocate in a non-democratic country), use Signal.
2.) Stop using browser-based versions of Secure Messengers.
Speaking to ZDNet, Kenn White said this is a “perfect case” for “why browser-based secure messaging apps are a train wreck.”
There is an unavoidable problem here. Browsers (and desktop operating systems) are going to have more “surface area” to attack due to the amount of features and control they have. This means that all things equal, any browser-based software will always have more avenues for attack than a phone app.
This particular bug is an excellent example. WhatsApp Web and Telegram Web each had failure in “input validation” – the process of accurately detecting a file type. Both services were able to have their validation measures tricked into believing executable code was one of the allowable file types. But it was the browser which allowed this flaw to be turned into an attack. Without the browser, that code would not have been executed, and there would have been no account takeover.
This is a type of bug we are going to see for a long time, so take this as a lesson: Browsers are not a secure enough platform for a secure messaging service. Download the app.
3.) It’s OK to Keep using WhatsApp on your Phone
This week’s news of a new WhatsApp vulnerability may have you worried. But this bug had nothing to do with the phone app, which is how most WhatsApp users use the service. This bug had more to do with the web browser, than with a failure of WhatsApp.
The cryptography community still recommends WhatsApp as a phone app. It’s end-to-end encryption uses Signal’s protocol (WhatsApp licensed it) which is considered the *best* option out there.