When WhatsApp switched on end-to-end encryption for its billion-plus users last year, the move heralded a new era for messaging apps, one where foiling virtually all eavesdropping represents the new security standard. But a pair of new attacks on the web versions of those “secure” messengers shows how just a few lines of insecure code can undermine even the most airtight encryption—particularly when they’re running in your browser.
On Wednesday, Israeli security firm Check Point revealed a new technique that the company says could bypass WhatsApp’s end-to-end encryption, by hiding HTML code in a seemingly innocuous image. If a user clicks on it while using the web version of the app, the code runs in the victim’s browser, gaining full access not only to the target’s messages, but to any shared photos and videos, as well as their contact list. Check Point also revealed a similar attack on the web version of Telegram—another app that advertises end-to-end encryption—that the researchers say can hide malicious code in a video that a user opens in a new tab.
Weaker On the Web
While both companies patched the bugs with quick updates, the vulnerability may have left millions of users open to crypto-circumventing spies. And security researchers say the attacks point to inherent vulnerabilities in the web versions of any secure messenger. When privacy counts, the smartphone is safer ground.
“Unfortunately, this does highlight a weakness specific to web applications,” says Nadim Kobeissi, the founder of the applied cryptography consultancy Symbolic Software. Kobeissi has in the past lauded the ease of use of web-based crypto apps. But he concedes that Check Point’s findings are a strong example of why those web apps are prone to forms of attack that mobile apps aren’t. “It’s kind of heartbreaking to have to say this, but if you’re someone in a precarious situation and you care about your security, I’d recommend you use WhatsApp on an iPhone,” he says.
Check Point’s attacks take advantage of flaws in how the two apps perform “input validation,” the process that ensures an image or video is the type of file it appears to be rather than a piece of code that would run potentially dangerous commands in the victim’s browser. “Every web application, whether it’s Facebook or a bank application, has to make sure that anything you enter as an input or that you upload is the kind of file type they’re permitting,” says Oded Vanunu, a security researcher at Check Point. “Once you manage to bypass that validation, it’s game over. The browser will run whatever you give it.”
That doesn’t mean that web-based bugs like the one Check Point discovered are an everyday occurrence. Check Point’s Vanunu and Kobeissi both argue that the WhatsApp vulnerability Check Point found represents a rare and uniquely serious flaw. “It’s not a new class of attack,” notes Kobeissi. “But this is an impressive and clever one.”
WhatsApp noted in a statement that it had addressed the flaw Check Point discovered in less than a day from when the company was notified. It nonetheless urged users to restart their browsers to make sure they’re protected. Telegram offered more resistance to Check Point’s findings, countering that the attack only works when a victim clicks on a video that’s already playing in Chrome and opens it in a new tab. “As you can see, the attack against Telegram required very unusual user interaction to succeed,” writes Telegram spokesperson Markus Ra. Ra called Telegram’s security issue “several orders of magnitude less severe” than WhatsApp’s.
But security researchers following the news argue it makes a broader point about the relative fragility of browser-based encrypted apps compared with those running on traditional operating systems. “Folks, especially those who work in security sensitive professions…Don’t use browser versions” of end-to-end encrypted messengers, tweeted Zeynep Tufekci, a privacy- and surveillance-focused professor of information and library science at the University of North Carolina. “Encrypted phone apps are for your phone.”
For those who see encrypted messaging as a mere privacy bonus, in other words, it’s not necessarily time to swear off web-based messaging apps. But for those who need the end-to-end encryption those apps offer, the extra security is worth waiting until you’re back on mobile.