One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to be proven, many end-users are concerned as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy. This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.
Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform WhatsApp Web and Telegram Web. The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.
This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more. This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.
View the demos on WhatsApp and Telegram
The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code. The file can be modified to contain attractive content to raise the chances a user will open it. Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.
Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
Check Point disclosed this information to WhatsApp’s and Telegram’s security teams on March 7th. Both companies have verified and acknowledged the security issue and developed a fix for web clients worldwide soon after. “Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.
Following the patch of this vulnerability, content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files.
Check Point Security TipsWhile WhatsApp & Telegram have patched this vulnerability, as a general practice we recommend the following preventive measures:
Periodically clean logged-in computers from your WhatsApp & Telegram. This will allow you to control the devices that are hosting your account, and shut down unwanted activity. Avoid opening suspicious files and links from unknown users.WhatsApphas over 1 billion users worldwide, making it the most prevalent instant messaging service existing today. The company’s web version is available on all browsers and WhatsApp supported platforms, includingAndroid,iPhone (iOS), windows Phone 8.x,BlackBerry,BB10and Nokia smartphones.
Telegramhas over 100 million monthly active users, delivering over 15 billion messages daily. It is a cloud-based mobile and Web messaging app, stating that their focus on security and speed.
In September 2015, we revealed another vulnerability in WhatsApp Web , which allowed hackers to send users a seemingly innocent vCard containing malicious code. Once we disclosed the vulnerability to WhatsApp, it was immediately fixed by the company.
Technical Details WhatsAppWhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images.
Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
However, Check Point research team has managed to bypass the mechanism’s restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to takeover his account.
Once the victim clicks on the document, the WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then navigates the user to this URL.
The attack on WhatsApp consists of several stages that mentioned below.
First, the attacker crafts a malicious html file with a preview image:
WhatsApp web client stores the allowed document types in a client variable called W[“default”].DOC_MIMES this variable stores the allowed Mime Types used by the application.
Since an encrypted version of the document is sent to WhatsApp servers it is possible to add new Mime type such as “text/html” to the variable in order to bypass the client restriction and upload a malicious HTML document.
After adding the malicious document Mime Type to the client variable, the client encrypts the file content by using the encryptE2Media function and then uploads it encrypted as BLOB to WhatsApp server.
Moreover, changing the document name and extension and creating a fake preview by modifying the client variables will make the malicious document more attractive and legitimate to the victim.
This is the result:
Once he clicks on the file, the victim will see a funny cat under blob object which is an html5 FileReader object under web.whatsapp.com. That means the attacker can access the resources in the browser under web.whatsapp.com
Just by viewing the page, without clicking on anything, the victim’s Local storage data will be sent to the attacker, allowing him to take over his account.
The attacker creates a javascript function that will check every 2 seconds if there is new data in the backend, and replace his local storage to the victim.
Part of attacker’s code:
The attacker will be redirected to the victim’s account, and will be able to access anything in it.
WhatsApp web does not allow a client to have more than one active session at a time so after the attacker steal the victim account the victim will receive the following message: