WhatsApp & Telegram Hack with 1 Image

Written by Dr-Hack

No matter how strong encryption is, as long as human interaction is there we will see encryption being exploited. WhatsApp and Telegram were exploited by a single image which resulted in a complete account take over.

How Hackers hacked WhatsApp and Telegram

As simple as it may sound, Hackers would send a special crafted link which will appear as a Image file and once the image was opened, complete access would be available with the hacker of victim account.The hack was only executable on Web versions of the chat applications.

Demo Video of WhatsApp Hack

Telegram Demo

Technical breakdown of WhatsApp / Telegram Hack

WhatsApp upload file mechanism supports a few document types such as Office Documents, PDF, Audio files, Video and images. However, Check Point research team managed to bypass the mechanism’s restriction and uploaded a malicious HTML document with a legitimate preview of an image. Such an action fools the victim into to believing that it is a authentic file type.
Once the document is opened, WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then opens the same URL.

The Attack takes place in following steps

Step 1 : First, the attacker crafts a malicious html file with a preview image. Telegram code looks like this.
Step 2 : WhatsApp web client stores the allowed document types in a client variable called W[“default”].DOC_MIMES this variable stores the allowed Mime Types used by the application.
Step 3 :  Since an encrypted version of the document is sent to WhatsApp servers it is possible to add new Mime type such as “text/html” to the variable in order to bypass the client restriction and upload a malicious HTML document.
Step 4 : Client encrypts the data using encryptE2Media.
Step 5 : Change extension and preview image and you get something which has more chances of being clicked.
Step 6 : Once the victim clicks on the link on web.whatsapp.com , will see a blob and session will be hijacked. A Javascript allows attacker to check file after every X seconds for a WhatsApp session hijack.
Step 7 : Multiple sessions are not allowed by WhatsApp which is managed by this code , as it makes the victim browser stuck.giving ample time to the Attacker. While Telegram allows multiple sessions so its not required to write any code nor the victim on Telegram will be notified.

HOT:  WhatsApp Status : A Privacy Nightmare

About the author


Owner and founder of Hackology Internet Security Portal and BlackAngel. These days teach hacking so others can stay safe. Apart from hacking, a Movie Fanatic.Also run a tech Blog, small projects like encrypted paste etc and various PoC and research articles

  • dev

    is this work now ???

  • not this particular trick.. but mime modification is still there ..

  • Bridge tyler

    Hi, i’m Tyler, i had my friend help me hack my ex’s email, facebook, whatsapp,and his phone cause i suspected he was cheating. all he asked for was a his phone number. he’s email is ([email protected])..IF u need help tell him Tyler referred you to him and he’ll help. Am sure his going to help you do it, good luck

  • Jessica Lu

    I know [email protected] is the best hacker out there when it comes to sale of tools and guide, Mobile hack, email interception, credit score repair, Grade change, DDOS, SQL Injection, Spyware program. Remove content on the internet or database.

  • sommer

    I know of one of the best hackers who I can vouch for. He is very good and reliable. he has helped me with so many issues with my my husband’s phone, because we had issues with cheating, he was cheating a lot and he helped me hack his phone and everything without him knowing and I was monitoring everything he was doing. Just contact him for any hacking related issues like hacking phones, computers, emails. Facebook accounts, WhatsApp, Instagram. Just mail him and you will get a good hacking service. Contact him on [email protected]

Pin It on Pinterest