Experts show how to hijack WhatsApp and Telegram sessions
There is currently a wide range of instant messaging services and, according to information security specialists, many have a security measure known as end-to-end encryption, which prevents third parties from being able to access the content of messages between two users.
However, this does not mean that our information is completely secure, as hackers can still find a way to breach the security of these apps. Using side channel attack techniques, a threat actor could compromise services like WhatsApp and Telegram for malicious purposes.
Information security specialists consider that the main problem is that users of these apps do not have cybersecurity knowledge, so hackers can access some resources, such as login tokens, that are not protected by end-to-end encryption. An example of this is the Telegrab attack, a malware that allows hackers to take control of a Telegram desktop session by copying tokens to access the platform. A report published by Talos reveals some variants of these attacks.
Taking control of a Telegram desktop session
Session hijacking highly likely when using the Telegram web version. Using the appropriate malware (such as the aforementioned Telegrab), a hacker can extract an access token to login to the victim’s account. When the attacker logs in using the stolen token, the new session starts without the user being able to notice.
In the end, the messages received by the victim are replicated to the session under the attacker’s control.
Shadow sessions in Telegram app
Although it is much more complicated to breach security in the mobile version of Telegram, this does not mean that it is impossible. Some malicious apps can create a “shadow session” without victim interaction, only requiring some minimal permission such as accessing SMS or killing background processes.
When registering with Telegram, the application asks the user for a phone number, which will be verified via an SMS with a unique code. If a user tries to register the same phone number again, Telegram will send a code via the Telegram channel and not as an SMS.
This change prevents malicious apps from creating shadow sessions without user interaction, as it ban them from accessing Telegram’s security code. However, if the time to complete the registration is exhausted, Telegram assumes that the user does not have access to the app yet, so it sends a new code via SMS. This creates a race condition that can be exploited by malicious apps to create a shadow session without user interaction.
Hijacking a WhatsApp Web session
Unlike Telegram, WhatsApp does notify users in case there is a second active session in the web version of the app. According to information security experts, if an attacker initiated a WhatsApp Web session, the target user will receive a notification informing about the new active session.
In this scenario, the attacker will have access to all the information in the attacked WhatsApp account until the victim chooses an option to close the second active session from their computer. However, a flaw in this protection method allows hackers to bypass security by performing the following steps:
- The hacker must stop the application on the victim’s computer
- The hacker starts WhatsApp with the stolen information
- The hacker will then disable the network interface on the machine running the hijacked session
- Attacker logs in again in WhatsApp Web on the victim’s machine
- Finally, the hacker will enable the network interface on the machine running the hijacked session
Thanks to this method, hackers can access the contents of the victim’s WhatsApp account, staying online unless the victim logs out manually on their mobile device.
While these services stand out for being secured, information security specialists from the International Institute of Cyber Security (IICS) believe that it is necessary to involve users more in the implementation of additional security measures for any other attack variant.
Originally published at https://www.securitynewspaper.com on September 19, 2019.