X

WhatsApp, Telegram flaws left accounts vulnerable to hackers

The problems -- now patched -- meant hackers could have sent malicious photos or videos with the power to take over your account.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
3 min read
​The Telegram logo. The encrypted messaging service said it patched a problem flagged by security researchers, but said it wasn't likely to have affected any users.

Telegram, an encrypted-messaging service, patched a problem flagged by security researchers, but said the flaw wasn't likely to have affected any users.

 Telegram

If you use WhatsApp or Telegram on your web browser, you'll want to shut down the browser and start it up again to keep hackers from taking over your account.

A group of researchers from cybersecurity firm Check Point revealed Wednesday that the web browser version of these popular encrypted-messaging apps had flaws that could have let hackers access and alter user accounts.

"This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts," the researchers wrote in a blog post published Wednesday.

The research comes at a sensitive time for encrypted-messaging services, which have come under fire for being vulnerable to hacking attacks. These apps scramble up communications as they travel from one user to another, making them unreadable to anyone but the sender and receiver.

So even though two recent claims that encrypted-messaging apps are vulnerable have been criticized by security experts as exaggerated or misleading, users are naturally alarmed by research like Check Point's.

Check Point says it was able to access WhatsApp user accounts by sending a photo file containing malicious code. If the user was accessing his or her account from a browser and clicked on the photo, it gave full access to the sender.


The Telegram hack was a bit more complicated. Researchers showed they could send a video file to their intended victims that also contained malicious code. For the attack to succeed, the user would need to be logged in on a browser, click "play" on the video and then open it in another browser tab.


The messaging services have each patched the problem affecting their browser-based applications. The hacks were possible because the encrypted-messaging services would encrypt the files and send them without evaluating them for malicious code. As a result, "WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," Check Point researchers wrote.

"We build WhatsApp to keep people and their information secure," WhatsApp said in an emailed statement, "When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web."

Telegram also said it patched the problem, but countered Check Point's message in a testy statement released Wednesday. Calling the researchers "irresponsible," the company said it was unlikely that a user would go through the steps necessary for the hack to work.

"The attack against Telegram required very special conditions and very unusual actions from the targeted user to succeed," the statement said. The company also refuted Check Point's claim that the attack would work in any browser, saying it only had worked in Chrome.

"We still fixed this immediately, of course," the statement said.

In response to Telegram's statement, the Check Point researchers pointed out that both Telegram and WhatsApp responded to their report by fixing their software. "We have shared all technical details to support the claims we have made and are very comfortable with the content of our blog," the researchers said in an emailed statement on Thursday.

It's not the first time that encrypted-messaging apps have pushed back on claims their users' messages are vulnerable.

Earlier in March, WikiLeaks claimed that government spies could access messages sent on WhatsApp, Telegram and a similar service called Signal, with its apparent cache of hacking tools -- but the companies were quick to point out that the encryption in the apps still works just fine, and the messages were still encrypted as they traveled across the internet.

And in January, a UC Berkeley researcher said he found a "backdoor" into WhatsApp messages, but the company said the issue flagged by the researcher was an intentional design decision and that it would not be used to intercept messages on behalf of any government.

Originally published March 15, 2017 at 2:56 p.m. PT
Update, March 16 at 10:09 a.m. PT: Adds a comment from Check Point in response to Telegram's statement.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET. You can read them here.