WhatsApp security flaw exposed millions of users to having accounts taken over by hackers
The messaging app uses end-to-end encryption to protect data, but it was at the heart of this particular problem
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Security experts have discovered a vulnerability in WhatsApp, that could have allowed hackers to take over “hundreds of millions” of users’ accounts and access everything in them.
The flaw was discovered by Check Point and reported to WhatsApp on 7 March. The company has since taken steps to fix the issue.
It affected WhatsApp’s online platform, WhatsApp Web, which allows users to chat with their friends from a computer instead of their phone.
By sending a target malicious code hidden within an innocent-looking image, hackers could gain access to their WhatsApp storage data and take control of their account. What’s more, from this position they could also carry out the same attack on all of the victim’s contacts.
“The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images,” explains Check Point. “Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
“However, Check Point’s research team has managed to bypass the mechanism’s restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to takeover his account.”
A similar flaw was discovered on rival messaging app Telegram.
“WhatsApp and Telegram use end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between,” said Check Point.
“Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp and Telegram were blind to the content, and were therefore unable to prevent malicious content from being sent.
“After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.”
Fortunately, all WhatsApp Web users need to do to protect themselves is restart their browser.
WhatsApp’s use of encryption has been the focus of heavy attention following WikiLeak’s recent Vault 7 document release.
According to the files, the CIA is capable of bypassing encryption on a number of popular messaging apps including WhatsApp, which it does by attacking smartphones directly.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments