PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

WhatsApp, Telegram Patch File-Upload Bug

The messaging services are renowned for their end-to-end encryption, which, in this case, also made them vulnerable to attacks.

Tom Brant
 & Tom Brant Managing Editor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A web server vulnerability could have let hackers hijack the accounts of Telegram and WhatsApp users, security experts disclosed on Wednesday.

SecurityWatchThe messaging services are popular for their security features, including end-to-end encryption that protects data sent via their smartphone apps. But that end-to-end encryption may have actually made the web versions of Telegram and WhatsApp more vulnerable, according to researchers from Check Point Security, making it relatively easy for hackers to access personal data.

The loophole, which has since been fixed, involved the file-upload tools on the websites of both services. By uploading a malicious document (and, in WhatsApp's case, disguising it with a legitimate preview image), Check Point researchers were able to bypass security safeguards and gain access to the services' user data.

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," Check Point researchers wrote in a blog post. No hacks are believed to have used this loophole, although Check Point said the danger was very real.

"This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more," the researchers wrote. "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts."

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Check Point said it disclosed the loophole to WhatsApp's and Telegram's security teams on March 7, and both companies acknowledged the issue and have since developed a fix for their web clients.

That fix is relatively simple: both services now validate files attached to messages before they're encrypted. If you send files or messages via the WhatsApp or Telegram websites, all you need to do is make sure that you restart your browser to make sure they're accessing the latest version of the services' web clients.

Telegram downplayed the threat in a blog post, explaining that the vulnerability only applied to malicious videos viewed on its site in the Chrome web browser. The company wrote that "the attack against Telegram required very special conditions and very unusual actions from the targeted user to succeed."

Security experts have questioned Telegram's protections before, including in 2015, when unencrypted copies of the messages sent using the app's Secret Chat tool were found on Android devices.

About Our Expert

Tom Brant

Tom Brant

Managing Editor

I’m a managing editor at PCMag.com focused on PC hardware. Reading this during the day? Then you've caught me testing gear and editing reviews of Wi-Fi routers, printers, laptops, and tons of other personal tech. (Reading this at night? Then I’m probably dreaming about all those cool products.) I’ve covered the consumer tech world as an editor, reporter, and analyst since 2015.

I've covered most major consumer tech events, including CES, Computex, Google I/O, and IFA. I've also appeared on CBS News, in USA Today, and at many other outlets to offer analysis on breaking technology news.

Before I joined the tech-journalism ranks, I wrote on topics as diverse as Borneo's rainforests, Middle Eastern airlines, and Big Data's role in presidential elections. A graduate of Middlebury College, I also have a master's degree in journalism and French Studies from New York University.

The Technology I Use

While most people buy a phone or laptop and stick with it for years, I’m lucky enough to use devices based on Android, iOS, macOS, and Windows daily as part of my job. As a result, I cycle through lots of tech in addition to my IT-issue work laptop. (Yes, that's a ThinkPad.) Personally, I’ve also owned a lot of tech products both cutting-edge and cringeworthy, from the Nintendo GameCube and the original MacBook to the Palm m105 and the CueCat.

Read the latest from Tom Brant

Read full bio