Vulnerability in WhatsApp and Telegram Allowed Complete Account Takeover

[Zarathustra[H]]

Well, it looks like the CIA might have been slacking on this one, as they were apparently unaware of any method to break popular encrypted messaging clients remotely, instead having to take the circuitous route of first compromising the handset itself in order to listen in on communications.

HelpNetSecurity has disclosed that up until recently it was possible to send a innocent image containing malicious code to WhatsApp and Telegram clients. Once clicked, the attacker would gain complete access to their accounts, accessing all conversations, photos, videos, etc. The root of the issue seemed to be that since the messages were end-to-end encrypted, WhatsApp and Telegram couldn't filter transmissions for malicious content. The Whatsapp and Telegram teams apparently did a good job at responding quickly to this vulnerability and patching it up.

“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu, head of product vulnerability research at Check Point. WhatsApp Web users wishing to ensure that they are using the latest version are advised to restart their browser.

 

[Gigus Fire]

what's an image with malicious code? Somehow a png and jpg can have code associated with it and executed or were they stupid and encapsulated the raw image with javascript or something along those lines?

 

[blkt]

what's an image with malicious code? Somehow a png and jpg can have code associated with it and executed or were they stupid and encapsulated the raw image with javascript or something along those lines?

Many different file formats have been exploited in the past: fonts, documents, compressed files, audio and configuration files you name it. There are all sorts of methods to inject and execute code in ways not intended.