WhatsApp and Telegram vulnerabilities allowed attackers to hijack accounts

The vulnerability impacted only the web versions of these apps.
(Luis / Flickr)

Vulnerabilities in the security of WhatsApp and Telegram were announced Wednesday by researchers at Check Point Security in the midst of greater attention being placed on the security of messaging apps with billions of users.

WhatsApp and Telegram’s web versions were vulnerable to phishing attacks that could have allowed hackers to take over a target’s account from which they could access all conversations, files and contacts. The vulnerabilities were disclosed on March 7 and have been fixed on both platforms, according to the researchers.

Web versions of secure chat apps — Signal, considered among experts today’s top secure messenger, also offers a browser version — are widely thought to be significantly less secure than the mobile apps due to the inherent insecurity in browsers. They’re immensely convenient for some users, however, and will likely remain in use as long as they’re offered.




Shortly after the Checkpoint made its announcement, Telegram issued a clarification showing that their vulnerability was different than the WhatsApp issue and required several additional specific steps taken by the victim in order to be compromised.






Although the researchers claimed the attack put hundreds of millions of WhatsApp and Telegram users at risk, that’s a questionable assertion. The attack only impacted the web versions of these platforms while the vast majority of users are on the mobile apps. But for those users on the web versions of the app, it’s a stark reminder that phishing remains an ever-present danger.

Earlier this month, several dramatically more severe vulnerabilities were found in Confide, a messenger secure among Washington D.C. power players.


To ensure your WhatsApp and Telegram web apps are up to date, restart your browser and access the apps again.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts