WhatsApp, Telegram Patch File-Upload Bug

A web server vulnerability could have let hackers hijack the accounts of Telegram and WhatsApp users, security experts disclosed on Wednesday.

SecurityWatch The messaging services are pop for their security features, including cease-to-finish encryption that protects data sent via their smartphone apps. Only that end-to-end encryption may take actually made the spider web versions of Telegram and WhatsApp more vulnerable, according to researchers from Check Point Security, making it relatively like shooting fish in a barrel for hackers to access personal data.

The loophole, which has since been fixed, involved the file-upload tools on the websites of both services. Past uploading a malicious document (and, in WhatsApp's example, disguising it with a legitimate preview paradigm), Check Signal researchers were able to featherbed security safeguards and proceeds access to the services' user data.

"Since messages were encrypted without being validated commencement, WhatsApp and Telegram were blind to the content, thus making them unable to forestall malicious content from being sent," Bank check Indicate researchers wrote in a blog post. No hacks are believed to have used this loophole, although Cheque Point said the danger was very existent.

"This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on whatever browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more than," the researchers wrote. "This ways that attackers could potentially download your photos and or post them online, ship messages on your behalf, demand ransom, and even take over your friends' accounts."

Check Point said it disclosed the loophole to WhatsApp's and Telegram's security teams on March 7, and both companies acknowledged the outcome and have since developed a gear up for their web clients.

That set up is relatively simple: both services now validate files fastened to messages before they're encrypted. If yous send files or messages via the WhatsApp or Telegram websites, all y'all need to do is make sure that you restart your browser to brand sure they're accessing the latest version of the services' spider web clients.

Telegram downplayed the threat in a blog post, explaining that the vulnerability only applied to malicious videos viewed on its site in the Chrome web browser. The company wrote that "the set on against Telegram required very special weather and very unusual actions from the targeted user to succeed."

Security experts have questioned Telegram's protections before, including in 2022, when unencrypted copies of the letters sent using the app'south Undercover Chat tool were found on Android devices.