back to article WhatsApp blind-sided by booby-trapped photo vulnerability

Security researchers have found the same type of vulnerability in the respective web platforms of WhatsApp and Telegram (WhatsApp Web and Telegram Web), two of the world’s most popular messaging services. The now-resolved vulnerability - discovered by security researchers at Check Point - would have allowed an attacker to send …

  1. Jon 37 Silver badge
    FAIL

    What?

    "content will now validated before the encryption"

    Lets get this right. The attack is: attacker sends malicious content to victim which automatically executes on victim's computer. And their claimed "fix" is to validate the content in Javascript on the *attackers* computer???!!! Javascript that the attacker could easily modify or bypass.

    The proper fix is to make the receiver (victim) side *not automatically run executable content*.

    1. Crazy Operations Guy

      Re: What?

      Really, since the attack vector is an image: "Fix their web/mobile app so it stops trying to execute data"

      This is why NX/XD/W^X needs to be active on -everything-. User data should never be executable...

      1. Aitor 1

        Re: What?

        Correct.

        They have fixed 12 year olds sending an image bomb, but not more serious attacks and worms, as it is as easy as hijacking a mobile phone, and using a custom client to inject the messages.

    2. Brewster's Angle Grinder Silver badge

      Re: What?

      The code contained javascript protections that the attack bypassed. So I doubt they'll replicate that solution.

      There is an encryption function used to send the message. It's not clear if that is written in javascript or can be hacked. But it could be validated in there.

      However from the outside a more sensible solution would be to validate the code in the receiver, since the attacker can't control the decryption program.

      Anyway, who uses the web app?

    3. eldakka
      Facepalm

      Re: What?

      Nah, they probably send the data to Whatsapp's server first, it then validates the data, then gives an OK back to the senders browser to encrypt the data before sending to the receiver.

      1. Goopy

        Re: What?

        Good that way WhatsApp servers will have unencrypted data under servers to be hacked at a later time because you can't look at code to see if it's valicious of as you can see it it it's all encrypted form Therefore your data is no longer in Cryptid from point A to point B somewhere in the middle as WhatsApp server looking at unencrypted data that may or may not be executable and may or may not be your photos that you want to remain private or anything that you said that you want to make privates.

  2. Simon Harris

    As soon as the user clicked on the image...

    so don't open a message from someone who's not in your contacts list?

    (assuming your contacts aren't the sort of people to pull such a prank).

    1. Crazy Operations Guy

      Re: As soon as the user clicked on the image...

      That would assume that your contacts haven't been compromised. I remember back in the early 90's when virus would propagate by sending themselves to everyone in your address book, no reason this exploit couldn't do that.

    2. Aitor 1

      Re: As soon as the user clicked on the image...

      The whole point is sending messages from a friends phone that got borked.

      1. Goopy

        Re: As soon as the user clicked on the image...

        No.

    3. Alumoi Silver badge

      Re: As soon as the user clicked on the image...

      Anybody knows where I can get my hands on such kind of images? For educational purpose only as I know a couple of assho... erm, friends who keep pestering me.

  3. kbb

    Telegram says it does not have the same issue

    From http://telegra.ph/Checkpoint-Confusion-NEWS

  4. Anonymous Coward
    Anonymous Coward

    Confusing

    WhatsApp updated their web app, so it's not about the mobile apps? Is telegram talking about their mobile app?

  5. Anonymous Coward
    Facepalm

    F*cking Amateurs

    Go have a look at the exploit code in the Checkpoint article for a good laugh, folks.

    This confirms that neither company gives a damn about security. Typical internet startup profiteers. It doesn't help that the Web (and HTML5 feature bloat in particular) is a security minefield. As are mobile OSes.

    @AC @kbb: these are both web app vulns. Telegram's vuln was not the same, but very similar.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like