Analysts at Check Point Securities declared an accusation against WhatsApp and Telegram, pointing out the way these chat services process images and multimedia files. Check Point was capable of creating a malware-laden HTML page. Once loaded, the page will steal all locally stored data, allowing attackers to essentially hijack the user’s account. “By simply sending an innocent-looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user,” said Oded Vanunu, head of product vulnerability research at Check Point.
In regards to WhatsApp, the user had to persistently open the sent image, making the unrealistic misuse for botnets or mass surveillance. The susceptibility was more difficult to expose on Telegram, necessitating a user to open a video in a separate Chrome tab, which was described as “a very unusual user interaction.” The liability was testified to both services on March 8th, and both have since Improved their systems to shield against related attacks. WhatsApp did not respond to a request for comment.
Dissimilar from conventional email or chat services, WhatsApp and Telegram have no way of reading messages between users, an essential part of the assurance of end-to-end encryption. In this case, that agreement may have made it simpler for the wicked image to slip through. With no method for interrupting messages in transit, it is far more problematic to scan for viruses or other malevolent attacks sent using the service. In November, Check Point revealed a malware campaign that infected over 1 million Android phones to up-vote products in the Google Play Store.