If you’ve been using Whatsapp through your desktop browser in the past 2 years, there’s a chance that you may have had your messages silently snooped on. This warning came from researchers on Wednesday who claimed that there had been a flaw in Whatsapp Web from its launch back in January 2015. All users had to do to be exposed to exploitation was click one photo.
The vulnerability was fixed by Whatsapp almost immediately, after hackers at Check Point warned that the attacks were unable to undo the end-to-end encryption message content across as many as hundreds of millions of accounts. Similar issues were found in the Telegram app which was also fixed not long after.
Users will not need to update either of these apps to make sure that they’re no longer vulnerable from hacking and the bugs have only effected the web browser service rather than the mobile and desktop apps. The bug did have the potential to be catastrophic, however. Check Point reported that bug allowed hackers to create a malicious code, hidden within an image or video, to be sent to a user of the app. The code would unleash evil HTML into the user’s web browser and “Once this HTML inject was uploaded and was encrypted and delivered to the other side [the WhatsApp server], the other side was rendering this HTML, innocent-looking image and executed the code that was stealing the local storage of the user,” head of research at Check Point, Oded Vanunu told Forbes. The hacker could then access the local storage data of the user which includes private and group conversations, photos, videos and contacts.
A spokesperson for Whatsapp said, “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web. To ensure that you are using the latest version, please restart your browser.” The amount of people affected remains unclear but Telegram have claimed that the severity of their problems were much less than those experienced by WhatsApp.