Facebook’s WhatsApp and Telegram Patch Major Security Flaws
WhatsApp
and Telegram patched flaws in their popular instant messaging
applications after security researchers showed that they could seize
control of user accounts.
Researchers
with Check Point Software Technologies discovered problems with the way
the two apps process some types of files without verifying that they do
not contain active code that could be malicious.
Flaws
in popular instant messaging applications are less common than
traditional desktop software. The apps are often used because of their
heavy encryption, which has been criticized by some in laws enforcement.
They
were able to send files to the web-based versions of the products with
malicious code while making it seem to be something else, such as a
picture. In WhatsApp's case, once opened by the recipient, the code
allowed the researchers to get into the local storage of the user and
then access the user's account. From there, they could have sent the
same malicious attack to all of the users' contacts.
Telegram's
flaw was much more subtle and required "very unusual" behavior by the
victim, such as right-clicking on a video and opening a new tab, said
spokesman Markus Ra.
There is no evidence that any similar attacks were actually used in the wild against either company's products, he said.
"When Check Point reported the issue, we addressed it within a day and
released an update of WhatsApp for web," said Anne Yeh, a spokeswoman
for that Facebook (FB, -0.39%) unit. "To ensure that you are using the latest version, please restart your browser.”
No comments