Security researchers just announced the discovery of major vulnerabilities in WhatsApp and Telegram, two popular messaging apps with end-to-end encryption, when used in an internet browser. In related news, you can use WhatsApp and Telegram in an internet browser.
A team at Israeli security firm Check Point just disclosed details of the vulnerability, which let a hacker send a single image, embedded with malware, through a web browser and take complete control of the recipient’s account. To be more specific, the hacker could send a message to any user and attach a malicious HTML document and then upload a picture as a preview image. When the user thinks they’re opening an image file (in this case, a perennially hilarious fat cat meme), the poor sheep is actually downloading malware that gives the hacker keys to their account. Ironically, the very security measure that makes these apps so popular is also what led to this vulnerability.
“Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” the Check Point researchers explained in a blog post. In other words, the end-to-end encryption actually provided a good cover for bad hackers. Both WhatsApp and Telegram have confirmed the vulnerability and issued patches. The companies say there doesn’t appear to be any evidence that anyone exploited the vulnerability before Check Point reported it, but that’s what companies pretty much always say in these circumstances.
Can we back up for a second, though? Who knew you could use WhatsApp on the web?
Apparently, the smartphone app has worked in browsers since 2015—and has featured this newly reported vulnerability since day one. But here you were, iPhone user, thinking you were operating within the safety of Apple’s walled garden. (Android users should basically always assume they’re at risk of being hacked, since the Google software is notoriously riddled with security problems.) Everything gets a little hairier when services are operating on the World Wild Web, though. This might be why Open Whisper Systems doesn’t offer a web version of its acclaimed end-to-end encryption app, Signal.
Don’t panic quite yet. Again, the WhatsApp and Telegram vulnerabilities have been patched, although it remains unclear if similar bugs exist for other web-based messaging apps. In the end, you should use this news as a reminder that no software is completely hacker-proof. If you want to make sure your communications are completely secure, you’ll just have to write your messages on paper, hand deliver them in a surveillance-free environment, watch your recipients read them, and then set those messages on fire. This ancient method still works great.