A group of researchers from cybersecurity firm Check Point revealed Wednesday that the web browser version of these popular encrypted-messaging apps had flaws that could have let hackers access and alter user accounts.
“This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts,” the researchers wrote in a blog post published Wednesday.
The research comes at a sensitive time for encrypted-messaging services, which have come under fire for being vulnerable to hacking attacks. These apps scramble up communications as they travel from one user to another, making them unreadable to anyone but the sender and receiver.
So even though two recent claims that encrypted-messaging apps are vulnerable have been criticized by security experts as exaggerated or misleading, users are naturally alarmed by research like Check Point’s.
Check Point says it was able to access WhatsApp user accounts by sending a photo file containing malicious code. If the user was accessing his or her account from a browser and clicked on the photo, it gave full access to the sender.
The Telegram hack was a bit more complicated. Researchers showed they could send a video file to their intended victims that also contained malicious code. For the attack to succeed, the user would need to be logged in on a browser, click “play” on the video and then open it in another browser tab.
The messaging services have each patched the problem affecting their browser-based applications. The hacks were possible because the encrypted-messaging services would encrypt the files and send them without evaluating them for malicious code. As a result, “WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent,” Check Point researchers wrote.
“We build WhatsApp to keep people and their information secure,” WhatsApp said in an emailed statement, “When Check Point reported the issue, we addressed it within a day and released an update of WhatsApp for web.”
Telegram also said it patched the problem, but countered Check Point’s message in a testy statement released Wednesday. Calling the researchers “irresponsible,” the company said it was unlikely that a user would go through the steps necessary for the hack to work.
“The attack against Telegram required very special conditions and very unusual actions from the targeted user to succeed,” the statement said. The company also refuted Check Point’s claim that the attack would work in any browser, saying it only had worked in Chrome.
“We still fixed this immediately, of course,” the statement said.
It’s not the first time that encrypted-messaging apps have pushed back on claims their users’ messages are vulnerable.
Earlier in March, WikiLeaks claimed that government spies could access messages sent on WhatsApp, Telegram and a similar service called Signal, with its apparent cache of hacking tools -- but the companies were quick to point out that the encryption in the apps still works just fine, and the messages were still encrypted as they traveled across the internet.
And in January, a UC Berkeley researcher said he found a “backdoor” into WhatsApp messages, but the company said the issue flagged by the researcher was an intentional design decision and that it would not be used to intercept messages on behalf of any government.
Check Point didn’t respond to a request for comment on the Telegram statement.
This article originally appeared on CNET.