Internet Security Blog - Hackology

WhatsApp & Telegram Hack with 1 Image

No matter how strong encryption is, as long as human interaction is there we will see encryption being exploited. WhatsApp and Telegram were exploited by a single image which resulted in a complete account take over.

How Hackers hacked WhatsApp and Telegram

As simple as it may sound, Hackers would send a special crafted link which will appear as a Image file and once the image was opened, complete access would be available with the hacker of victim account.The hack was only executable on Web versions of the chat applications.

Demo Video of WhatsApp Hack

Technical breakdown of WhatsApp / Telegram Hack

WhatsApp upload file mechanism supports a few document types such as Office Documents, PDF, Audio files, Video and images. However, Check Point research team managed to bypass the mechanism’s restriction and uploaded a malicious HTML document with a legitimate preview of an image. Such an action fools the victim into to believing that it is a authentic file type.
Once the document is opened, WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then opens the same URL.

The Attack takes place in following steps

Step 1 : First, the attacker crafts a malicious html file with a preview image. Telegram code looks like this.
Step 2 : WhatsApp web client stores the allowed document types in a client variable called W[“default”].DOC_MIMES this variable stores the allowed Mime Types used by the application.
Step 3 :  Since an encrypted version of the document is sent to WhatsApp servers it is possible to add new Mime type such as “text/html” to the variable in order to bypass the client restriction and upload a malicious HTML document.
Step 4 : Client encrypts the data using encryptE2Media.
Step 5 : Change extension and preview image and you get something which has more chances of being clicked.
Step 6 : Once the victim clicks on the link on , will see a blob and session will be hijacked. A Javascript allows attacker to check file after every X seconds for a WhatsApp session hijack.
Step 7 : Multiple sessions are not allowed by WhatsApp which is managed by this code , as it makes the victim browser ample time to the Attacker. While Telegram allows multiple sessions so its not required to write any code nor the victim on Telegram will be notified.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Brave Browser Message

Pin It on Pinterest

Share This