Unlike in WhatsApp, nobody could take over your Telegram account by simply sending you a photo

Unlike in WhatsApp, nobody could take over your Telegram account by simply sending you a photo

Telegram

A company called Check Point has discovered a way of taking over a WhatsApp account provided that your target simply opened a photo you sent them. No additional actions from the target were required. Some media reported that "the same" vulnerability was discovered in Telegram.

This is not true, Telegram never had this issue.

What did you have?

Last week, Check Point pointed out a different issue in Telegram Web that was based on the same idea, but had very different implications for the end user. For this version to work, you had to convince your target to do exactly the following:

1. Hit 'Play' to start watching a malicious video via Telegram Web in Chrome. (At this point a WhatsApp account is already compromised, but nothing happens in Telegram.)

2. Then, as the video is already playing, right-click on the running video and select "open in a new tab" from the menu.

Your target had to do exactly that, in this exact order. Also note:

  • This did not work if you simply opened the 'play video' link in a new tab. No effect.
  • This did not work in any browsers other than Chrome.
  • This is naturally irrelevant for Telegram Desktop or any of our other apps.
  • We still fixed this immediately, of course.

As you can see, the attack against Telegram required very special conditions and very unusual actions from the targeted user to succeed.

Why the skewed reporting then?

Many media wrongly reported that Telegram had the same issue as WhatsApp. The reason they did this is because Check Point chose to write their post in a way to maximize its PR impact. This is not unusual for a security company seeking recognition. Still it's surprising that they were not satisfied with merely cashing in on the WhatsApp issue and included inaccurate statements about Telegram. For example:

Once the user clicks to open the malicious file, it allows the attacker to access WhatsApp’s and Telegram’s local storage, where user data is stored. From that point, the attacker can gain full access to the user’s account and account data.

The part about Telegram in this statement is not true. Sadly, it is now part of a barrage of articles written by mislead journalists all over the globe. So if you see a headline like "How one photo could have hacked your WhatsApp and Telegram accounts", feel free to tell the author that they've been duped by an irresponsible security company.

UPD 16.03.17: After numerous requests, Check Point updated their post a day later.

OK, so how do I know if this was used on my account in the past?

If you're a WhatsApp user, you don't. Sorry. That is, unless you are sure that all photos you've ever opened via WhatsApp Web were coming from legitimate sources.

If you're a Telegram user and use the web client instead of the desktop apps, try to remember if you ever did the strange trick described above. If, like all of us, you've never done anything like this, this doesn't concern you.