WhatsApp security flaw exposed millions of users to having accounts taken over by hackers

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Security experts have discovered a vulnerability in WhatsApp, that could have allowed hackers to take over “hundreds of millions” of users’ accounts and access everything in them.

The flaw was discovered by Check Point and reported to WhatsApp on 7 March. The company has since taken steps to fix the issue.

It affected WhatsApp’s online platform, WhatsApp Web, which allows users to chat with their friends from a computer instead of their phone.

By sending a target malicious code hidden within an innocent-looking image, hackers could gain access to their WhatsApp storage data and take control of their account. What’s more, from this position they could also carry out the same attack on all of the victim’s contacts.

“The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images,” explains Check Point. “Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.

“However, Check Point’s research team has managed to bypass the mechanism’s restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to takeover his account.”

A similar flaw was discovered on rival messaging app Telegram.

“WhatsApp and Telegram use end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between,” said Check Point.

“Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent.

“After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.”

Fortunately, all WhatsApp Web users need to do to protect themselves is restart their browser.

WhatsApp’s use of encryption has been the focus of heavy attention following WikiLeak’s recent Vault 7 document release.

According to the files, the CIA is capable of bypassing encryption on a number of popular messaging apps including WhatsApp, which it does by attacking smartphones directly.