Researchers at security software company Check Point claim to have uncovered what they describe as a "severe" vulnerability in WhatsApp enabling hackers to hijack accounts using images booby-trapped with malware.
The vulnerability affects WhatsApp Web, along with Telegram's similar web-based service, and stems from a problem with the way that the two message apps process some types of files without verifying that they do not contain malicious code.
Because of this, attackers are able to send malicious code disguised as an innocent-looking image, allowing them to gain access to a WhatsApp or Telegram users' local storage and take control of their account.
"The WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images," claims Check Point. "Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.
"However, Check Point's research team has managed to bypass the mechanism's restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to take over his account."
This gives, if exploited, hackers could potentially gain access to a user' messages, shared files, contacts list and more.
Check Point warns: "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts.
The security firm notified WhatsApp and Telegram of the flaw on 7 March, and both companies have fixed the issue.
Check Point said that there is no evidence that the flaw was used by hackers but noted Check Point says it had been present on the platforms for a significant time period and put "hundreds of millions" of accounts at risk.
Still, Check Point advises that users avoid opening suspicious files and links from unknown users, obvs, and periodically clean logged-in computers from WhatsApp and Telegram accounts.
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps
OnePlus 3T canned to make way for imminent OnePlus 5 with Snapdragon 835, 8GB memory and dual camera
OnePlus 3T to be prematurely retired on 1 June - perhaps indicating plans for an imminent OnePlus 5 launch