WhatsApp and Telegram security flaw: Here's how hackers make malicious images and take control

Check Point, an Israel-based cyber security company disclosed a serious flaw in popular messaging apps like WhatsApp and Telegram that could allow hackers to take over their accounts. All that was required by the attacker was to send a malicious image file to the victim. As soon as the victim clicked the image, the attacker could control the victim's account.

There are several important things to note about the attack. Even though the flaw has been fixed by WhatsApp as well as Telegram at the time of writing this report, we should know how such a critical flaw could go unnoticed for so long and how it worked.

According to the report by Check Point, the image sent here is not exactly an innocent straight up image instead, it is a specially crafted HTML file along with a false thumbnail to appear like an image for users. These HTML files would look like a normal image and clicking on that image would navigate you to the infected page and the data stored in your internal storage will be sent to the hacker. This is true for WhatsApp users while Telegram users need to play the video message and then right-click to open it in a new tab.

WhatsApp Telegram Security flaw

Source: Check Point

The reason this flaw works is because WhatsApp and Telegram support HTML, Text and video format files to be sent to each other. Though Telegram is limited in terms of the number of images and video documents that are saved in the system storage. Check Point used text file format to bypass and upload the malicious HTML file on WhatsApp servers and it used the video file format, MP4 to bypass Telegram's upload policy. Though, crafting a message for Telegram users is hard as the hacker has to embed video data in the HTML file.

As soon as the right file format is found, WhatsApp uses the FileReader HTML 5 API to encrypt the file and upload it to WhatsApp servers or Telegram servers in Telegram's case. Since the files are encrypted, WhatsApp or Telegram can't see the contents of the file or assess what is going inside the file. WhatsApp in this instance converts the file in an encrypted BLOB for WhatsApp client (the victim in this case) to decrypt on the other end.

Hackers change the document name along with extension and other details like the preview, hiding all the parameters in the HTML file. Hackers add a JavaScript function to check for any additional data every 2 seconds. Additional tweaking to the code would allow them to bypass the limitation where WhatsApp only allows its users to use WhatsApp on one device at a time.

This way to change the document parameters to make it appear like a different file format is not new. Hackers have used images to spread malware where they embed the malicious code in legitimate image files like SVG file format as detailed by DeepDotWeb or using the Stegosploit tool.

So don't go ahead and click every single image that you get in the multiple WhatsApp and Telegram groups. It is best to be cautious about these things, rather than be sorry later.


Published Date: Mar 16, 2017 12:06 pm | Updated Date: Mar 16, 2017 12:06 pm