In another security vulnerability issue, a security flaw has been identified by Check Point in WhatsApp’s code. It reported to WhatsApp on 7 March and since then the messaging platform has taken steps to resolve the issue.
The vulnerability was lingering on WhatsApp’s online platform – WhatsApp Web – which allows users to communicate from a computer rather than a phone.
Hackers could exploit the flaw by sending a target malicious code hidden within an image. In turn, these malicious actors could then gain access to WhatsApp storage data and take over the user’s account.
This malicious code could then be sent out to all the contacts on the compromised device.
“The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images,” explained Check Point. “Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
“However, Check Point’s research team has managed to bypass the mechanism’s restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to takeover his account.”
“WhatsApp and Telegram [where another similar flaw was discovered] use end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between,” said Check Point.
“Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent.
“After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.”
Alex Mathews, lead security evangelist at Positive Technologies has reacted to this news, and said “One billion people now use Whatsapp and 100 million Telegram. Given the fact such services are deeply ingrained in a massive portion of the world’s daily lives, they are going to be an emerging target for attacks of all kinds. When you raise your head above the parapet, people look to knock it off for nefarious gain. This is the unfortunate truth of today’s digitally reliant world.”
“The security research community plays a vital part in addressing this problem, helping companies in positions of influence find vulnerabilities and weaknesses in their approach and assisting with fixes. The quick response of both WhatsApp and Telegram in this case is a positive sign of this process at work.”
Indeed, the security research community will continue to play a vital role in exposing flaws that would otherwise go unnoticed by site/app administrators.
In a closing thought Professor Giovanni Vigna, co-founder of malware detection firm Lastline said “This flaw shows how difficult it is to balance security and usability. WhatsApp did the right thing by encrypting the content, but by doing it too early in the message analysis pipeline, they could not determine that a message might be crafted to contain malicious code. This code could then access [personal] information, which could be used to log into a user’s account for the web application.”
“This flaw could be easily mitigated by using 2-factor authentication (recently introduced by WhatsApp), which has been proven to be one of the best security mechanisms to prevent wide-spread compromise.”