Researchers at security software company Check Point claim to have uncovered what they describe as a "severe" vulnerability in WhatsApp enabling hackers to hijack accounts using images booby-trapped with malware.
The vulnerability affects WhatsApp Web, along with Telegram's similar web-based service, and stems from a problem with the way that the two message apps process some types of files without verifying that they do not contain malicious code.
Because of this, attackers are able to send malicious code disguised as an innocent-looking image, allowing them to gain access to a WhatsApp or Telegram users' local storage and take control of their account.
"The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images," claims Check Point. "Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
"However, Check Point's research team has managed to bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to take over his account."
This gives, if exploited, hackers could potentially gain access to a user' messages, shared files, contacts list and more.
Check Point warns: "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts.
The security firm notified WhatsApp and Telegram of the flaw on 7 March, and both companies have fixed the issue.
Check Point said that there is no evidence that the flaw was used by hackers but noted Check Point says it had been present on the platforms for a significant time period and put "hundreds of millions" of accounts at risk.
Still, Check Point advises that users avoid opening suspicious files and links from unknown users, obvs, and periodically clean logged-in computers from WhatsApp and Telegram accounts.
Spaces are filling up fast
HP ZBook x2 offers 32GB RAM, M.2 SSD with up to 2TB storage and Nvidia Quadro GPU
Laptops should be able to offer true all-day working, and some
CGN has created an "online capability gap" between cyber criminals and law enforcement, says Europol
ISPs use Carrier Grade NAT to share IP addresses amongst multiple users