WhatsApp and Telegram’s end-to-end encryption is too safe for its own liking. This week, a security software company has reported that a malware vulnerability, on both the messaging platforms, has raised serious data security concern.
If the knowledge falls into the wrong hands, it could compromise data of millions of WhatsApp and Telegram users. As scary as this might sound, the threat has been notified to WhatsApp and Telegram, and has been fixed at the time of publishing this piece.
The report has been shared by Check Point Software Technologies, who have clearly indicated that downloading images and videos on your phone from these platforms could be riskier than they could imagine.
When you talk about certain file formats –PDF, doc files, videos – that you can see on WhatsApp and Telegram, they need to be downloaded first, and then executed on your system to view their content.Saket Modi, CEO and Co-founder at Lucideus Tech
End-to-end encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.
This has been lauded by many people, including the users, so that no misuse of such data happens. But as it turns out, hackers could even turn this strong point to their benefit.
This same mechanism has also been the origin of a new severe vulnerability, which the folks at Check Point have been able to discover in both – WhatsApp and Telegram, albeit just the web version.
The reason this flaw works is because WhatsApp and Telegram support HTML, Text and video format files to be sent to each other.Check Point Software Blog
How it Happened?
Check Point was quick to point out that since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.
It adds that the affected HTML files would look like a normal image, and clicking on that image would navigate you to the infected page, and in turn, the data stored in your internal storage will be sent to the hacker.
Speaking to Saket Modi, Co-founder at Lucideus, a cyber security firm, we got some interesting insights into how the web version of WhatsApp or Telegram could be more prone to such attacks than the mobile version.
He also pointed out the core reason or matter that leads to this vulnerability to take place.
With an HTML code, there was a malicious pointer which could execute a JavaScript, using which they were able to access the locally stored file linked to WhatsApp.Saket Modi, CEO and Co-founder at Lucideus Tech
Who’s at Fault?
Both Check Point and Saket have stayed away from pointing fingers at anyone, with special emphasis on the fact that encryption isn’t the sole reason for this vulnerability.
Encryption is one piece of the puzzle. The actual reason for vulnerability was because of the malware that could be executed through the browser.Saket Modi, CEO and Co-founder at Lucideus Tech
However, he did alert everyone to the reality that hacking WhatsApp data is very much doable, and it doesn’t matter if you’re a celebrity or just a normal person on the social platforms.
WhatsApp doesn’t delete conversations on phone. The app stores user data (messages) as an encrypted file whose encryption in the past has been subject to breaches multiple times.Saket Modi, CEO and Co-founder at Lucideus Tech
Being part of the digital-cum-social sphere comes with its set of responsibilities and awareness, and users ought to adhere to that for their own safety.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)