SECURITY RESEARCHERS at Check Point have uncovered a "severe" vulnerability in WhatsApp that could allow hackers to hijack accounts through the use of malware-laced images.
The vulnerability in question affects WhatsApp Web, along with Telegram's similar web-based service, and stems from a problem with the way that the two message apps process some types of files without verifying that they do not contain malicious code.
Because of this, attackers are able to send malicious code disguised as an innocent-looking image, allowing them to gain access to a WhatsApp or Telegram users' local storage and take control of their account.
"The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images," explains Check Point. "Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
"However, Check Point's research team has managed to bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to take over his account."
This gives, if exploited, hackers could potentially gain access to a user' messages, shared files, contacts list and more.
Check Point warns: "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts.
The security firm notified WhatsApp and Telegram of the flaw on 7 March, and both companies have fixed the issue.
Check Point said that there is no evidence that the flaw was used by hackers but noted Check Point says it had been present on the platforms for a significant time period and put "hundreds of millions" of accounts at risk.
Still, Check Point advises that users avoid opening suspicious files and links from unknown users, obvs, and periodically clean logged-in computers from WhatsApp and Telegram accounts. µ
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking
Hackers gained access to systems using unsecured administrator's account
But Canonical's Mark Shuttleworth doesn't agree