No matter how strong encryption is, as long as human interaction is there we will see encryption being exploited. WhatsApp and Telegram were exploited by a single image which resulted in a complete account take over.
How Hackers hacked WhatsApp and Telegram
As simple as it may sound, Hackers would send a special crafted link which will appear as a Image file and once the image was opened, complete access would be available with the hacker of victim account.The hack was only executable on Web versions of the chat applications.
Demo Video of WhatsApp Hack
Technical breakdown of WhatsApp / Telegram Hack
WhatsApp upload file mechanism supports a few document types such as Office Documents, PDF, Audio files, Video and images. However, Check Point research team managed to bypass the mechanism’s restriction and uploaded a malicious HTML document with a legitimate preview of an image. Such an action fools the victim into to believing that it is a authentic file type.
Once the document is opened, WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then opens the same URL.
The Attack takes place in following steps
Step 1 : First, the attacker crafts a malicious html file with a preview image. Telegram code looks like this.
Step 2 : WhatsApp web client stores the allowed document types in a client variable called W[“default”].DOC_MIMES this variable stores the allowed Mime Types used by the application.
Step 3 : Since an encrypted version of the document is sent to WhatsApp servers it is possible to add new Mime type such as “text/html” to the variable in order to bypass the client restriction and upload a malicious HTML document.
Step 4 : Client encrypts the data using encryptE2Media.
Step 5 : Change extension and preview image and you get something which has more chances of being clicked.
Step 7 : Multiple sessions are not allowed by WhatsApp which is managed by this code , as it makes the victim browser stuck.giving ample time to the Attacker. While Telegram allows multiple sessions so its not required to write any code nor the victim on Telegram will be notified.