Cybersecurity researchers announced Wednesday a vulnerability in messaging service WhatsApp that allows hackers to breach accounts by sending an image with malicious software.
Telegram, another popular messaging service, also appears to be vulnerable to the hack. Users are attacked while using the services on a web browser.
The services boast end-to-end encryption in which only the devices of two parties communicating can decipher a message thread.
Cybersecurity firm Check Point Research said, however, that it has discovered a way to bypass the encryption by sending an image to a user. If opened, malicious software attached to the file can break into the account.
“This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists and more,” according to a statement by Check Point’s Eran Vaknin, Roman Zaikin and Dikla Barda. “This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom and even take over your friends’ accounts.”
Check Point alerted WhatsApp and Telegram to the issue on March 7 and the companies created a fix for the exploit. There is no evidence hackers used the vulnerability to breach user accounts.
WhatsApp, which is owned by Facebook, has more than 1 billion users and is one of the most common messaging services. Telegram has in excess of 100 million users and the company says 15 billion messages are sent through the service every day.
“We build WhatsApp to keep people and their information secure,” a WhatsApp spokeswoman said in a statement. “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web.”