WhatsApp and Telegram are two instant messaging apps that have more than a billion users. They offer encrypted communications, advantageous messaging, and a cluster of different features.
However, new research reveals that a malware-injected image would have been sufficient to steal somebody's WhatsApp or Telegram web accounts. It'd take just a few moments after which the aggressor would increase finish control over accounts, including access to images, video, audio files, and contacts. Furthermore, encryption would really help with this kind of hack.
The Dark web solutions company, abuses much-publicised problems in their customized software that allow hackers to spy on users' calls and text messages by tricking operator networks into routing connections through their own phones.
But snoops using these techniques can't break the encryption deployed by the likes of WhatsApp, Telegram and Signal - three of the most popular security-focused apps. It would take extreme compute power to actually determine how users communications were encrypted, effectively using machines to guess how encryption keys were created by algorithms.
The cryptography also means that even where snoops are able to redirect data to their own machines - as Israeli company Ability claims its licensed Unlimited Interception System will soon do, and it would be unreadable.
But hackers can bypass the encryption protections by exploiting software to create duplicate accounts that receive all the messages intended for the target phone.
This is done by tricking the telecom networks into believing the hacker's phone has the same number as the target's. That means they can set up a new WhatsApp or Telegram account with the same number and will receive the supposedly secret code that confirms they are a "legitimate" user. From there, they can impersonate their target, sending and receiving new calls and texts.
The hugely popular smartphone messaging service WhatsApp, acquired by Facebook for over $20 billion last year, has reportedly been found to be prone to hijacking without unlocking or knowing your device password, making its hundreds of Millions of users vulnerable to, not just hackers, but also non-technical people.
This trick lets anyone surrounds you to get effectively control over your WhatsApp account. The attacker needs nothing more than a phone number of the target person and access to the target mobile phone for a few seconds, even if it is locked.
"Hacking Whatsapp account in such scenario is not hard for hackers"
This is not actually a loophole or vulnerability in WhatsApp, and rather it is just the way WhatsApp is designed and its account setup mechanism works.
NOTE: Moreover, we aren’t encouraging users to hack others WhatsApp account, but the purpose of publishing this article is to warn and remind our readers that you should be extra careful to whom you lend your mobile phone and not to leave it unattended for longer duration with strangers around.
The trick enables the offender to get full control over the victim’s WhatsApp account in no time and the most surprising part is that it independently works on all mobile platforms, including Android, Windows and Apple’s iOS.
Things get even worse on iPhone if the users have configured their iPhone with Siri authentication for the lock screen, because all the contact details are available to access the Siri’s settings, effectively giving everyone access to their phone number without the need for a PIN.
Thus, if you try to steal the account information of WhatsApp, without even having the phone number of the target user, you can just call your number from target’s phone using Siri.
Next time when someone sends you a photo of a cute cat or a hot chick on WhatsApp or Telegram then be careful before you it might hack your account within seconds.
A new security vulnerability has recently been patched by two popular end-to-end encrypted messaging services — WhatsApp and Telegram — that could have allowed hackers to completely take over user account just by having a user simply click on a picture.
The hack only affected the browser-based versions of WhatsApp and Telegram, so users relying on the mobile apps are not vulnerable to the attack.
According to Checkpoint security researchers, the vulnerability resided in the way both messaging services process images and multimedia files without verifying that they might have hidden malicious code inside.
For exploiting the flaw, all an attacker needed to do was sending the malicious code hidden within an innocent-looking image. Once the victim clicked on the picture, the attacker could have gained full access to the victim’s WhatsApp or Telegram storage data.
This eventually allowed attackers to take full access to the user's account on any browser, view and manipulate chat sessions, access victim's personal and group chats, photos, videos, audios, other shared files and contact lists as well.
Just check the given video demonstration that explains the simple trick of taking control of anyone’s WhatsApp account.
To make this attack widespread, the attacker can then send the malware-laden image to everyone on the victim's contact list, which could, eventually, mean that one hijacked account could be led to countless compromises by leapfrogging accounts.
Both WhatsApp and Telegram use end-to-end encryption for its messages to ensure that nobody, except the sender and the receiver, can read the messages in between.
However, this same end-to-end encryption security measure was also the source of this vulnerability.
Since the messages were encrypted on the side of the sender, WhatsApp and Telegram had no idea or a way of knowing, that malicious code was being sent to the receiver, and thus were unable to prevent the content from being running.
"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," the researchers writes in a blog post.
WhatsApp fixed the flaw within 24 hours on Thursday, March 8, while Telegram patched the issue on Monday.
Since the fixes have been applied on the server end, users don't have to update any app to protect themselves from the attack; instead, they just need a browser restart.
"It's a big vulnerability in a significant service," said Oded Vanunu, head of product vulnerability research at Check Point. "Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients."
WhatsApp did not notice any abuse of the vulnerability, while Telegram claimed the flaw was less severe than WhatsApp, as it required the victim to right click on the image content and then open it in a new window or tab for the malicious code to run and exploit its users.
After fixing this flaw, content on the web versions of both WhatsApp and Telegram will now be validated before the end-to-end encryption comes into play, allowing malicious files to be blocked.
You can find out more about how to hack a WhatsApp account and how to protect yourself from Spyware by visiting:
I hope you enjoyed reading. Have a nice day.