WhatsApp and Telegram patched flaws in their popular instant messaging applications after security researchers showed that they could seize control of user accounts.
Researchers with Check Point Software Technologies Inc discovered problems with the way the two apps process some types of files without verifying that they do not contain active code that could be malicious.
Check Point said that it alerted Telegram and Facebook-owned WhatsApp last week, waiting until the vulnerability was patched before making it public.
Flaws in popular instant messaging applications are less common than traditional desktop software. The apps are often used because of their heavy encryption, which has been criticised by some in laws enforcement.
WhatsApp and Telegram specifically use end-to-end encryption designed to make certain only senders and recipients can see what is in messages.
The privacy protection had the side effect of preventing the services from being able to discern whether message contents included malicious code, according to Check Point.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account take over,” Check Point head of product vulnerability Oded Vanunu said in a release.
“By simply sending an innocent looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.”
Check Point was able to send files to the Web-based versions of the products with malicious code while making it seem to be something else, such as a picture. In WhatsApp’s case, once opened by the recipient, the code allowed the researchers to get into the local storage of the user and then access the user’s account. From there, they could have sent the same malicious attack to all of the users’ contacts.
Telegram’s flaw was much more subtle and required “very unusual” behaviour by the victim, such as right-clicking on a video and opening a new tab, said spokesman Markus Ra.
To remedy the situation, both services shifted to finding and blocking viruses before messages are encrypted, the security researchers said.
There is no evidence that any similar attacks were actually used in the wild against either company’s products, Ra said.
Check Point did not specify how many messaging accounts were at risk, but did say the flaw posed a danger to “hundreds of millions” of users accessing the messaging platform from Web browsers in computers, as opposed to mobile applications.
“When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web,” said Anne Yeh, a spokeswoman for that Facebook unit. “To ensure that you are using the latest version, please restart your browser.”