WhatsApp, the Facebook messaging giant with close to one billion unique users, might have been a hacker’s playground over the last couple of months.
This also means that personal details and other vital information might be out there being auctioned for a couple of dollars, depending on relevance.
Despite their “unbreakable” end-to-end user encryption, it was an unexpected content flaw that proved to be WhatsApp achilles’ heel.
As early as last week, web security experts from CheckPoint noticed a flaw that essentially allows hackers to clandestinely take over accounts, access private conversations and siphon out your contact list. They have since reported the issue.
According to CheckPoint, this vulnerability was noticed on WhatsApp web. Hackers could, in effect, compromise these online accounts by sending false thumbnails laced with malicious code. By clicking on these attractive images, the malware is activated and the hacker had full access to the user’s account.
Since they have full control, these hackers could then copy all of your contact information, recent conversations and all other archived messages from storage.
To demonstrate this vulnerability, CheckPoint took advantage of WhatsApp upload mechanism.
Because Whatsapp is known to support some specific readable files such as PDF or Word documents, CheckPoint system penetration experts were able to take advantage of this mechanism. They then uploaded infected HTML files guised as image previewers. Upon clicking, the code is loaded, redirects you to a different page and the account compromised.
Apparently, the end-to-end encryption is effective at preventing other intrusions. However, this loophole can be consequential to the app as a global brand.
The end-to-end user encryption is in its core a knee jerk reaction following claims of widespread government surveillance. This security feature ensures that user conversations remain private and there is no one in between reading them.
However, it appears that the problem comes not by its coding. WhatsApp encryption and content blindness brought by excessive focus on end to end protection is the cause.
WhatsApp supports video, text and HTML files. These files are easy to encrypt and send over as a secure BLOB ready for decryption. Surprisingly, encryption is done without validating this content.
With this blind content encryption, WhatsApp couldn’t discern infect attachments from clean ones. Consequently, CheckPoint took advantage of this flaw, penetrated the system and lucky for us, notified WhatsApp.
WhatsApp have since taken steps and introduced new content filter. These filters validates and then blocks all malicious software within an attachment.
For frequent Whatsapp Web users, all they have to do is to restart their web browsers. Once done, the new fix will take effect.