
Vulnerability That Allowed Hackers to Take Over WhatsApp and Telegram Accounts - tzury
http://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/
======
idlewords
This applies to the web versions of these apps.

While this is painful advice, if you need the security protections of WhatsApp
or Signal, don't use those apps on the desktop. The web/desktop versions are
only as secure as the OS and browser underneath them. Instead, use them on a
late-model iPhone or iPad (with a bluetooth keyboard if screen keyboards drive
you nuts).

Don't use Telegram at all.

~~~
ryanisnan
> Don't use Telegram at all.

Care to elaborate on that?

~~~
idlewords
Telegram uses a custom protocol that makes professional cryptographers like
Matthew Green tweet things like this:
[https://twitter.com/matthew_d_green/status/72642891296898252...](https://twitter.com/matthew_d_green/status/726428912968982529?lang=en)

WhatsApp and Signal use the Signal protocol, which has a good reputation among
working cryptographers (who I hope we'll hear from in this thread).

~~~
unicornporn
The greatest problem with the Telegram encryption is that nobody I know uses
it. Why?

1\. It's not default.

2\. Encrypted chats don't sync between devices.

------
strictnein
When you boil it down, these are both just moderately complex stored XSS
attacks, right? Construct a weird video or image, get it stored on the
Telegram/WhatsApp servers, and if the user is using the web interface, they
could trigger the malicious code by clicking on the image or opening the video
in a new tab.

~~~
misterrobot
Yeah, this is literally just stored XSS. The fact that they don't even mention
XSS in the article just amplifies its click-baitiness.

------
apeace
Interesting that this post references the CIA Wikileaks publication, but does
not explicitly say that the exploit was found via those leaks.

It would be very big news if that were the case. Major news outlets such as
the New York Times[0] have slammed Wikileaks for using "misleading" language
to describe the leaks, specifically in reference to WhatsApp.

I hope the author will clarify how they came across this exploit.

From the NYT article:

> In their haste to post articles about the release, almost all the leading
> news organizations took the WikiLeaks tweets at face value. Their initial
> accounts mentioned Signal, WhatsApp and other encrypted apps by name, and
> described them as “bypassed” or otherwise compromised by the C.I.A.’s
> cyberspying tools.

> Yet on closer inspection, this turned out to be misleading. Neither Signal
> nor WhatsApp, for example, appears by name in any of the alleged C.I.A.
> files in the cache.

[0] [https://www.nytimes.com/2017/03/09/opinion/the-truth-
about-t...](https://www.nytimes.com/2017/03/09/opinion/the-truth-about-the-
wikileaks-cia-cache.html)

~~~
ryanlol
>I hope the author will clarify how they came across this exploit.

These bugs didn't come from wikileaks.

>Major news outlets such as the New York Times[0] have slammed Wikileaks for
using "misleading" language to describe the leaks, specifically in reference
to WhatsApp.

Still wouldn't explain their claims about Signal.

------
tedunangst
This is only if you use the web client? The article almost goes out of its way
to implicate mobile clients, but my understanding is they're not affected?

~~~
lucb1e
That is my understanding as well. It's written like a media prop -- I mean,
look at this:

> bypass Telegram’s upload policy and upload a malicious HTML document with a
> mime type of a video file “video/mp4”. Then, they were able to send it to
> the victim side in an encrypted channel through telegram servers.

It's only missing the words "cyber" and "darknet" to make it complete, but
they just upload html with javascript (malicious or not) and it happens to be
over https.

So it's a bit obfuscated, but yeah it seems to only affect the web clients.

------
passivepinetree
Can someone more involved with security than me describe what the authors mean
when they say files will now be "validated" by WhatsApp and Telegram before
being sent?

~~~
dsacco
In very basic terms it means that some level of sophisticated file type and
content-type verification will be performed in a manner that is theoretically
secure. For example, Whatsapp shouldn't have allowed HTML to be uploaded if
it's disguised as an image thumbnail. That's pulling a page right out of 2002.

This is very easy to do 80% of the way, and difficult to do with the remaining
20%. The last mile of file validation is extremely fickle because it requires
an understanding of what the uploading library is doing under the hood. You
can minimize your risk by carefully choosing files to accept, understanding
how they're parsed by your libraries and correctly disallowing everything
else.

Practically speaking, you should at a minimum:

1\. Whitelist acceptable file types,

2\. Perform server-side, not client-side validation,

3\. Validate the file types not only by extension, but by contents,

4\. Disallow filenames from being set by user input, and ideally hash them
before presenting them back,

5\. Store the files on a separate host/CDN,

6\. Only allow the uploader to retrieve files uploaded by the user, and not
from local or remote resources. If you must allow local directories, maintain
strict permissions, and do not allow loopback resources.

That's a great start. To go further, you should investigate which library to
use carefully and consider how legitimate files you are choosing to whitelist
can still be dangerous. For example, you can trigger an XSS with a valid SVG.
You can attack system memory with fraudulent JPG sizes. You can trigger
server-side request forgery by uploading 127.0.0.1, etc.

~~~
tptacek
For simple image types, you can avoid a lot of this machinery by always
resizing and converting images serverside, so that attackers simply don't have
control over the bits of any image they upload. This used to be the
recommended countermeasure back when GIFARs were a thing.

Obviously, a trickier problem when those images are encrypted.

------
homakov
Statement from @durov - [http://telegra.ph/Checkpoint-Confusion-
NEWS?1](http://telegra.ph/Checkpoint-Confusion-NEWS?1)

Because both are Web versions, I'd rate Whatsapp one as 6/10 severity and (due
to how hard it is to trick the user) Telegram as 3/10.

Don't have stats but given how inconvenient Web versions are, I don't think
they are widely used.

~~~
zulln
I would say more people use WhatsApp Web than Telegram (percent, not absolute
numbers). Telegram does have a desktop client, while WhatsApp Web is the only
choice if you want to reply to something from your desktop (taken third-
parties aside).

~~~
donatzsky
WhatsApp does actually have a desktop client. It's nothing spectacular, but
works well enough.

------
lucb1e
So basically, you can upload HTML and have users of the web client run the
code on the Telgram/Whatsapp domain by sending it with another MIME type such
as mp4?

I use Telegram Desktop but this should have showed up in any security test,
which they apparently didn't do. As a pen tester, maybe I should take it upon
myself to audit stuff that I use now and then...

~~~
bsamuels
it's very easy to say "wow they should have tested for that" in retrospect
with any vulnerability

~~~
lucb1e
Definitely, which is why I said: any security audit would have found this, so
I'm guessing they never had any.

------
misterrobot
LOL, these are literally just XSS attacks, the sky is not falling. This is
such clickbait. Posts like this make the security community look bad IMO.
Report it and move on.

~~~
irundebian
OLOL LITERALLY!?! What's your problem dude? A single XSS vulnerability can
have severe impacts up to a compromise of a system when sensitive data from
authorized users are stolen.

~~~
misterrobot
XSS is the most common bug on the internet, and there is nothing interesting
or novel about this that warrants an article in my opinion. My problem is that
this article makes people scared in a way that I do not think is productive.
Kudos to whoever found the bug for finding it and making everyone safer, but I
thought the article was needlessly clickbaitey. I agree I should probably be
less cavalier-sounding though, sorry.

~~~
irundebian
No offense. The widespread of XSS makes it not less harmful. Although attacks
with XSS vulnerabilities requires further actions by the attacked users, these
are often easily provoked. IMHO a vulnerability shouldn't be rated by its
trivialness but by its impact.

Still I think checkpoint is doing clickbaiting, regarding to their description
of the vulnerability and Telegrams reply.

