Researchers discovered an exploit in popular encrypted messaging apps WhatsApp and Telegram that would have allowed hackers to take over a user’s account and access personal data, Check Point Security announced Wednesday.

To get your WhatsApp or Telegram account hacked, all you had to do was open a file, such as a picture, which contains malicious code. Once you click the file, hackers would be able to get into the app’s local storage, which is dangerous since the apps are fully synced with your device.

Read: WikiLeaks Vault 7, Year Zero: CIA Can Hack iOS, Android Devices, Access Encrypted Messaging Apps Like WhatsApp, Alleged Documents Say

The flaw would have also allowed attackers to access a user’s conversations, photos, videos and shared files, contact lists, and other information. By accessing user’s data, attackers could have used that information to demand ransom from victims, send messages on their behalf, download and post photos on the internet or take over their friends’ accounts through the contacts list.

Since the apps have no way of reading the messages between users, it’s easy for malicious files to pass through without being detected.

The researchers reported the flaw to WhatsApp and Telegram and both companies verified and admitted the security issue and developed a fix for users worldwide.

“Following the patch of this vulnerability, content is now validated by WhatsApp and Telegram before the encryption, allowing them to block malicious files,” Check Point said. “WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.”

Check Point recommends continual cleaning of logged-in computers from your WhatsApp and Telegram so you can have more control over your account and shut down unwanted activity. Researchers also tell users to avoid opening suspicious files and links from unknown users.

Read: Russian Hackers Blackmail US Liberal Groups After Stealing Emails And Documents, Report Says

With WhatsApp, attackers could have sent a malicious HTML file that would allow them to take over and lock out the user, since the app only allows one active session at a time.

“Closing the browser wills not logout the attacker from the account and the attacker will be able to login to user account as long as he wants,” researchers said.

Check Point uploaded a video showing how attackers could take over WhatsApp accounts:

When it comes to Telegram, researchers were able to bypass the app’s “upload policy and upload a malicious HTML document with a mime type of a video file ‘video/mp4.’” That allowed them to send that file to the user in an encrypted channel through Telegram servers. When users open the video in a new browser tab, the individual's session data gets sent to the hacker. The user wouldn’t even know he or she has been hacked, since Telegram allows multiple active sessions at a time.

Here’s how Telegram accounts can be taken over:

RELATED STORIES
Software WhatsApp App Video