WhatsApp, one of the most used and famed app for messaging has now been disclosed to be at risk when operated through an internet browser.
An Israeli security firm Check point has discovered the two apps, WhatsApp and Telegram prone to vulnerabilities although they are secured with end-to-end encryption. In the provided details, a hacker could bypass the app’s end-to-end encryption and could take over the account of an individual by sending a single image.
The image’s HTML code is hidden and when the recipient open that image, he/she is actually downloading the malware which gives the key to access that account with all the information including private messages, photos, videos and the contacts. However, the web version of the Telegram is also liable to similar attack but according to researchers, it can hide malicious code in a video that a user opens in a new tab.
While both the companies have made changes and fixed the vulnerabilities which were reported on 8th march. However, it has left several users open to crypto-circumventing spies. According to security researchers when it comes to privacy, smartphones are more secure as attacks point to inherent vulnerabilities in the web versions of any secure messenger.
“Unfortunately, this does highlight a weakness specific to web applications,” says Nadim Kobeissi, the founder of the applied cryptography consultancy Symbolic Software. In fact, before Kobeissi has acclaimed the ease in using the web based crypto apps. But after the check point’s revelations, he also admits the fact that the web apps are prone to the vulnerabilities which a mobile app is not.
“It’s kind of heartbreaking to have to say this, but if you’re someone in a precarious situation and you care about your security, I’d recommend you use WhatsApp on an iPhone,” he says.
A security researcher at Check point Oded Vanunu says, “Every web application, whether it’s Facebook or a bank application, has to make sure that anything you enter as an input or that you upload is the kind of file type they’re permitting.”
However, check point’s attack was showing that the ‘input validation’ process is flawed, which makes sure that image or video is a type of file which it seems to be, instead of a malware that would transfer the commands to the attacker.
“Once you manage to bypass that validation, it’s game over. The browser will run whatever you give it.” Says Oded.
Kobeissi says that web pages are more prone to vulnerabilities in these attacks. According to him the web browser as compared to typical operating systems have less distinct and isolated components which render different types of data like an image, video, or executable commands. The chance to get new data is possible in web apps as the web-based language JavaScript allows so-called ‘just-in-time’ gathering of new code which makes the app to dysfunction. Whereas, in mobile or desktop apps compilation is necessary before installation.
“That’s why these vulnerabilities work, and why they highlight a particular weakness in web apps,” Kobeissi says.
However, that doesn’t mean the attack discovered by Check point occurs often. The Check point’s Vanunu and Kobeissi both said that the WhatsApp related vulnerability, exposed by the organization happens very rare and is a uniquely serious flaw. “It’s not a new class of attack,” Kobeissi said. “But this is an impressive and clever one.”
Whereas, the Check point have mentioned some ways to prevent being a victim of such attacks. They advise you to regularly clean logged-in PCs and avoid opening suspicious files and links.
Share this article
About the Author
Zehra Ali is a Tech Reporter and Journalist. She has done her Masters in Mass Communication. Topics related to cybersecurity, IoT, AI, Big Data and other privacy matters are extensively covered by her on various platforms. You can follow her on twitter.
More from Zehra AliRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...