How malicious code hidden within innocent looking images helped attackers hijacked WhatsApp accounts

How malicious code hidden within innocent looking images helped attackers hijacked WhatsApp accounts

Check Point researchers have revealed a new vulnerability on WhatsApp online platform – WhatsApp Web  – the world’s most popular messaging service. By exploiting this vulnerability, attackers could completely take over user accounts, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more.

WhatsApp has over 1 billion users worldwide, making it the most prevalent instant messaging service available today. The company’s web version is available on all browsers and WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphone

The vulnerability allows an attacker to send the victim malicious code, hidden within an innocent looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim’s WhatsApp storage data, thus giving full access to the victim’s account. The attacker can then send the malicious file to all the victim’s contacts, potentially enabling a widespread attack.

Check Point disclosed this information to the WhatsApp security teams on March 8, 2017. WhatsApp acknowledged the security issue and developed fixes for worldwide web clients. “Thankfully, .

WhatsApp uses end-to-end message encryption as a data security measure, to ensure that only the people communicating can read the messages, and nobody in between. Yet, the same end-to-end encryption was also the source of this vulnerability. Since messages were encrypted on the side of the sender, WhatsApp was blind to the content, and were therefore unable to prevent malicious content from being sent. After fixing this vulnerability, content will now be validated before the encryption, allowing malicious files to be blocked.

Check Point Security Tips

While WhatsApp has patched this vulnerability, as a general practice we recommend the following preventive measures:

  1. Periodically clean logged-in computers from your WhatsApp & Telegram. This will allow you to control the devices that are hosting your account, and shut down unwanted activity.
  2. Avoid opening suspicious files and links from unknown users.



Technical Details – WhatsApp

WhatsApp upload file mechanism supports several document types such as Office Documents, PDF, Audio files, Video and images.

Each of the supported types can be uploaded and sent to WhatsApp clients as an attachment.

However, Check Point research team has managed to bypass the mechanism’s restrictions by uploading a malicious HTML document with a legitimate preview of an image in order to fool a victim to click on the document in order to takeover his account.

Once the victim clicks on the document, the WhatsApp web client uses the FileReader HTML 5 API call to generate a unique BLOB URL with the file content sent by the attacker then navigates the user to this URL.

The attack on WhatsApp consists of several stages that mentioned below.

First, the attacker crafts a malicious html file with a preview image:

WhatsApp web client stores the allowed document types in a client variable called W[“default”].DOC_MIMES this variable stores the allowed Mime Types used by the application.

Since an encrypted version of the document is sent to WhatsApp servers it is possible to add new Mime type such as “text/html” to the variable in order to bypass the client restriction and upload a malicious HTML document.

After adding the malicious document Mime Type to the client variable, the client encrypts the file content by using the encryptE2Media function and then uploads it encrypted as BLOB to WhatsApp server.

Moreover, changing the document name and extension and creating a fake preview by modifying the client variables will make the malicious document more attractive and legitimate to the victim.

This is the result:

Once he clicks on the file, the victim will see a funny cat under blob object which is an html5 FileReader object That means the attacker can access the resources in the browser under

Just by viewing the page, without clicking on anything, the victim’s Local storage data will be sent to the attacker, allowing him to take over his account.

The attacker creates a JavaScript function that will check every 2 seconds if there is new data in the backend, and replace his local storage to the victim.

Part of attacker’s code:

The attacker will be redirected to the victim’s account, and will be able to access anything in it.

WhatsApp web does not allow a client to have more than one active session at a time so after the attacker steal the victim account the victim will receive the following message:

It is possible to overcome this situation from the attacker perspective by adding a JavaScript code like this:

The malicious HTML file that will cause the client browser window to get stuck and allow the attacker to control the account without interference, although the attacker will be connected to victim account until the victim will log from the account. Closing the browser wills not logout the attacker from the account and the attacker will be able to login to user account as long as he wants.

Share this post

Post Comment