A red flag for subscribers who expect end-to-end encryption to be protecting their privacy.
A red flag for subscribers who expect end-to-end encryption to be protecting their privacy.

Researchers have uncovered what they term a "severe vulnerability" in WhatsApp and Telegram, two enormously popular apps that use end-to-end encryption enabling users to communicate privately.

The online versions of these messaging services "mirror all messages sent and received by the user, and are fully synced with the users' device," according to a report from Check Point.

This should be raising a red flag for subscribers of the platforms who expect the end-to-end encryption to be protecting their privacy – WhatsApp has more than one billion users worldwide, while Telegram has more than 100 million monthly active users.

The flaw lies in the upload file mechanism, which enables users to attach several document types, such as Office documents, PDF, audio files, video and images.

The Check Point research team was able to "bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image." This would dupe a recipient into clicking on the legitimate-seeming image. At that point, the WhatsApp web client" uses the FileReader HTML 5 API call to generate a unique BLOB URL." Users are then hijacked to the malicious URL.

If exploited, the vulnerability detected by the Check Point researchers could enable remote attackers to gain access to WhatsApp's and Telegram's local storage and thus take over any user's account and siphon out personal and group conversations, photos, videos and other shared files, contact lists, and more, the report stated. The implication is that the material could then be uploaded online under the user's identity, messages could be sent in their name, and their friends' accounts could also be targeted.

"Once bypassing WhatsApp and Telegram file upload security validations, attackers can add any HTML or JavaScript code that will be executed on the other side," Oded Vanunu, head of product vulnerability research at Check Point, told SC Media on Wednesday.

Both apps, he said, are using image or video with malicious HTML or JavaScript code, there is no difference in the two attack methods.

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," the report explained.

Following Check Point's disclosure of the flaw on March 7 to the security teams at WhatsApp and Telegram, the companies each quickly issued a fix. Users are advised to make certain they are using the latest version and to restart their browsers.

"Following the patch of this vulnerability, content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files," the report said.

The good news is that the flaw has not yet been detected in the wild, Vanunu told SC. But that does not mean users are safe as WikiLeaks documents have provided evidence that governments are attempting to find such vulnerabilities, he said. 

"Today's vulnerability disclosure regarding the malicious image parsing vulnerabilities for WhatsApp and Telegram web applications are certainly concerning news, but it's important to remember that the scope of the suggested attack is limited only to the web applications for these messaging services," Tod Beardsley, director of research at Rapid7, informed SC Media on Wednesday.

The WhatsApp and Telegram mobile apps are unaffected by these vulnerabilities, he said.

"Since these issues only affect the web application, users don't need to do anything more than simply reload those websites to get the fixes," he advised. "It would be prudent for those users to also take a moment today to expire out their existing sessions by logging off and logging on again, though there's no indication these attacks are being used in the wild today."