Millions of WhatsApp users are vulnerable to their accounts being hacked and taken over.
Security experts discovered a vulnerability in WhatsApp’s online platform, WhatsApp Webb, which is the computer version of the phone application, allowing people to chat via a desktop.
The hack could allow cybercriminals to take over hundreds of millions of users’ accounts and everything within them.
By sending a malicious code hidden within an image, hackers could gain access to WhatsApp storage data and take control of their account. From there they could target the victims’ contacts and pass the malicious image on.
WhatsApp uses end-to-end encryption as a data security measure, which ensures that the only people to read a message is the sender and recipient, with no one in between.
However, it seems that the encryption was the source if the vulnerability, as the message was created on one side of the encryption, meaning WhatsApp were unaware of the malicious content, and thus unable to prevent it.
Since the discovery, WhatsApp has since taken steps to improve security and amend the potential security breach.
Mark James, ESET IT Security Specialist, talks about end-to-end encryption and how phone, and other devices, applications can improve security.
“As the bad guys get smarter, our applications need to keep up.
“More and more of our communications are open to abuse from cybercriminals and the opportunistic eaves dropper.
“One of the ways to get around this process is using something called end-to-end message encryption.
“WhatsApp state: ‘When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.’
“I.e. I encrypt it (automatically) from my application before I send it, and you decrypt it at your end when you receive it.
“That means if anyone compromises the data in transit they are unable to use or identify anything within it, and there lies the problem: it limits your options for checking for anything malicious.
“Luckily this only affected the web platform, so once resolved by WhatsApp themselves it only requires a browser restart.
“They state: ‘After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.’”
Did you encounter any problems due to this vulnerability? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.