The security company Checkpoint recently found a critical security flaw in both the Whatsapp and Telegram services that could have spelled big trouble for their users.
Fortunately, it has already been patched with no apparent damage done, but below, the details of the flaw are outlined because this may not be the last time we see a threat like it.
The attack made use of steganography techniques, which are notoriously difficult to detect and defend against. Basically, if a user clicked on a poisoned sent image, it would run malware designed to first take control of the user’s account (either Whatsapp or Telegram, or both), and from there, ultimately wrest full control of the machine running it.
The scope was limited to impacting the PC versions of those apps. Mobile users were unaffected. The worst part, though, was the fact that the exploit used both services’ encryption against them.
The services provide end to end message encryption, but the flaw in their design was the fact that the messages weren’t verified prior to encryption. They were essentially sending messages “blind” with no knowledge that they were sending something dangerous to the recipient, and thus, no way to warn the device on the other end of the transmission not to run the malicious code.
The patch that was put in place included a verification and validation step, nicely solving the problem, but this incident underscores the problem inherent with increasingly complex security schemes.
It is a paradox.
In our quest for greater security, we devise systems of increasing complexity. In doing so, the system’s own inherent complexity becomes a security hole which can be more easily exploited.
So far, there’s no good fix for that. No solution that has presented itself that has proved to be hack-proof or unbreakable.
Solving that problem is going to be one of the greatest challenges of the era.