New WhatsApp & Telegram encryption flaw identified

WhatsApp gained a whole host of new users and a great deal of credibility when it introduced end-to-end encryption to its service last year. They were the first mainstream messaging app take such a step, and plenty of their rivals have since followed suit.

But it seems their encryption might not be as secure as they would have users believe. An Israeli security firm called Check Point has revealed a technique which they say allows hackers to bypass WhatsApp encryption and access user content.

WhatsApp Encryption issues

Despite its end-to-end encryption being a recent addition to WhatsApp’s service, this is not the first time it has encountered problems.

As we reported earlier this year, an independent research had identified a technique which would allow WhatsApp to force the creation of new encryption keys on users and therefore have access to their content in the meantime.

But this new technique is completely different. It involves hiding some HTML code in an image file which, if clicked on when using WhatsApp in a web browser will run in the browser. The code will then allow hackers to access all messages and also any shared media.

In the same blog, Check Point also identified a similar technique which could affect users of Telegram; another end-to-end encryption messenger. This technique involved code hidden in a video file which activates when a user opens that file in a new tab.

Wider Implications

As all responsible security researchers would, Check Point identified these vulnerabilities to WhatsApp and Telegram before going public with the revelation and both companies have now patched the vulnerabilities.

But as Check Point point out, the problems they have identified could have much wider implications on the web versions of any encrypted messenger. They vulnerabilities both take advantage of the way web apps perform “input validation”. This is the process in which they check that photo and video files are what they claim to be rather than a potentially dangerous piece of code.

Once the “input validation” process is broken, it is technically possible to run anything through that web app. It is a vulnerability which is only found in these web apps and it is why they can be so vulnerable.

As Nadim Kobeissi, the founder of Symbolic Software, an applied cryptography consultancy, told Wired, “this does highlight a weakness specific to web applications… if you’re someone in a precarious situation and you care about your security, I’d recommend you use WhatsApp on an iPhone.”

But both Kobeissi and Check Point were at pains to reassure users that this type of flaw is not commonplace, but rather a unique and particularly clever one. But the potential overall threat to web-based encrypted messenger apps nonetheless remains and other security experts have been quick to leap on the news as evidence of why such apps should be avoided.

How to handle the desktop app flaw

WhatsApp responded to the news by stated that they fixed the flaw within 24 hours, while Telegram was a little more defensive arguing that vulnerability “required very unusual user interaction to succeed.”

Users of both apps should be sure they are running the latest versions which contain the fixes and WhatsApp actually specifically told web app users to reload their browser to confirm the updated software was running.

But those who are concerned would be wiser to ensure that they are either using mobile apps, which are not vulnerable to this flaw, or running a VPN, which will encrypt all online traffic regardless and therefore brings an extra level of protection to your secure messaging.