Vulnerability Discovered – Why You Shouldn’t Use WhatsApp and Telegram on the Web

According to the Israeli security firm Check Point, even encrypted messenger apps like WhatsApp and Telegram can be penetrated by malware. Just this month, spokesperson Doros Hadjizenonos announced the firm had discovered a weakness in the web versions of these apps. The vulnerability allowed hackers to send a contaminated photo capable of infecting the entire account upon opening. Both companies have reacted immediately to patch the problem and users who have downloaded the latest version should be protected. However, security experts are still advising that high-risk individuals stick to the mobile version of WhatsApp and Telegram.

Encrypted Apps are the Secure Choice

Privacy and reputation go hand in hand. ReputationDefender clients include individuals and businesses working to build a positive web profile. A few personal details or a private message made public can quickly undo months of effort. With over 1 billion users, WhatsApp is the go-to messenger app and the announcement of ‘end-to-end encryption’ last year made it one of the more secure choices as well. A unique encryption key means no one but the intended receiver can unlock and read the message, not even WhatsApp itself. Meanwhile, the lesser known Telegram has been offering ‘Secret Chats’ that rely on a similar encryption key for several years.

What Went Wrong?

Unfortunately, in this case encryption created its own unique problem. Since the sender’s content was scrambled before upload, the app wasn’t always able to identify contaminated files. Hackers could conceal HTML code in a harmless-looking image and send it to an unsuspecting user. Opening the message in a web application would allow the malware to run immediately on the user’s browser, giving hackers access to the entire account: personal contacts, messages, images… everything.

Hadjizenonos has assured users that WhatsApp and Telegram both responded quickly and responsibly to Check Point’s warning. The input validation process has been improved to identify and block files containing malware on both web and mobile versions. As always, it’s important to download the latest updates immediately, since these often contain fixes for weaknesses and vulnerabilities that have just been discovered.

What’s Different with Web Apps?

The larger lesson is that the mobile versions of WhatsApp and Telegram are more secure than the web-based versions. Web apps use JavaScript which will input new code and overwrite functionality immediately. Mobile apps don’t support this ‘just-in-time’ compiling; changes much be downloaded and configured before installation. This means users are better protected from the type of vulnerability spotted by Check Point.

Although this particular risk has been eliminated, it won’t prevent hackers from discovering a new access point in the future. If your WhatsApp account contains data that could hurt you if it were made public, it’s best to avoid messaging on the web. Stick to mobile, where there’s an extra layer of security.

Victims of Revenge Porn Need More Privacy

Revenge porn, publicly posting explicit photos after a break-up, is a troubling online phenomenon that appeared about five years ago. Worryingly it is becoming increasingly prevalent and affecting growing numbers of men and women. A recent UK law took steps to address the issue, clearly making it a crime to post images or video without the subject’s consent; however the bill lacks important protections for victims’ privacy and identity. This is a concern for us at ReputationDefender since anyone coming forward to report a violation can find their online reputation damaged even further with articles and posts related to the trial.

Defining the offense

Calling revenge porn a sexual offense would give victims anonymity for life; however the Home Office recently rejected this definition, saying that even though “victims can in some circumstances feel violated,” lack of actual “contact” or “gratification” makes the offense “malicious” rather than “sexual”.

Dr. Clare McGlynn, a professor of law at Durham University, disagrees with this assessment. She believes that even though the crime is “image-based” it is still a form of “sexual exploitation” and therefore warrants the same level of victim protection as other forms of “sexual abuse.” According to McGlynn, the law’s focus on perpetrator intent rather than the consequences for victims detracts from its purpose. Many subjects of revenge pornography face real psychological damage not to mention the harm done to their career and future relationships.

Revenge porn prosecution rates are low

Unfortunately, lack of automatic anonymity for victims has had a significant effect on the number of cases that are prosecuted under the new law. Revenge pornography became a specific crime in the UK as of April 2015 and by December of that year, 1,160 cases had been reported to the police, including three cases where victims were children of eleven years old. However 61 percent of the accusations resulted in no action being taken, either because of insufficient evidence or because the subject of the photos chose not to pursue prosecution. Only 11 percent resulted in an actual conviction.

Maria Miller, one of the MP’s who pushed for a law dealing with revenge porn, says this is directly related to anonymity. “Too often victims say they can’t face the prospect of their case coming to court,” she says.

The majority of people believe victims deserve anonymity

There is a lot of public support McGlynn and Miller’s position on this issue according to a new poll from ICM. Of the 2,048 people questioned, 75 percent believed that victims of revenge porn should be given the same protections as victims of other sexually related crimes. Among women, the numbers were slightly higher at 77 percent while only 72 percent of men were in agreement. Unfortunately, as long as the Home Office’s decision stands, public opinion won’t help victims of revenge porn who feel they may face more harassment for coming forward. If you are facing this situation and are concerned about the risks of disclosure, contact our privacy experts at ReputationDefender.