Updated | Hundreds of millions of WhatsApp and Telegram accounts were at risk to hackers for months through a security vulnerability in the messaging apps’ web platforms, according to security researchers.
The loophole, uncovered by researchers at security firm Check Point, allowed hackers to completely take over users’ accounts and access conversations, contact lists, photos, videos and other shared media.
Check Point informed WhatsApp and Telegram of the vulnerability on March 8 and the messaging companies have since enabled fixes to prevent their platforms from being exploited by attackers in this way.
There is no evidence that the flaw was used by hackers but a spokesperson for Check Point says it had been present on the platforms for a significant time period and put “hundreds of millions” of accounts at risk.
“In the case of WhatsApp, the vulnerability dates back a year or so, to when WhatsApp started encrypting all traffic,” the spokesperson tells Newsweek.
The vulnerability allowed hackers to send victims malicious code disguised as an image, which could then be forwarded to the victim’s contacts once hackers had seized control of the account.
WhatsApp and Telegram use end-to-end encryption in order to protect their users’ privacy, meaning the messaging platforms were unable to see the content of the messages. This would have allowed hackers to send malicious content without being spotted.
“This new vulnerability put hundreds of millions of WhatsApp Web and Telegram Web users at risk of complete account takeover,” says Oded Vanunu, head of product vulnerability research at Check Point. “By simply sending an innocent-looking photo, an attacker could gain control over the account, access message history, all photos that were ever shared, and send messages on behalf of the user.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients.”
WhatsApp said there was no evidence that the issue had been misused. A WhatsApp spokesperson tells Newsweek: “We build WhatsApp to keep people and their information secure. When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser."
Update: This article has been updated to include a comment from WhatsApp.