Anyone believing that end-to-end encryption makes messaging apps impregnable is sadly mistaken. That’s the bad news. The good news is that it only affects the web versions of the two apps in question – which are arguably the lesser used ones.
Check Point, an Israel-based security firm, has revealed that end-to-end encryption on both the WhatsApp and Telegram instant-messaging services can be bypassed by the simple expedient of hiding HTML code in an innocent-looking image or video. If clicked on while using the web version of the app, the code runs in the victim’s browser – giving the attacker full access to messages, shared photos, videos and contact lists.
WhatsApp’s one billion plus users will be reassured to know that, once alerted, the messaging service provider instantly fixed the flaw. Telegram, on the other hand, seems rather less concerned and has not taken immediate steps. The best advice is only to use instant messaging apps on a smart phone rather than a browser, as their end-to-end encryption is optimised for mobile.