Significant vulnerabilities have been uncovered in WhatsApp Web, the web-based extension of the popular WhatsApp application for phones. The exploit can allow attackers to trick victims into executing malware on their machines in a new, sophisticated way.
WhatsApp Web mirrors all messages sent and received (includes images, videos, audio files, locations and contact cards), and fully synchronizes users’ phones and desktop computers so that users can see all messages on both devices. It is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones.
Check Point security researcher Kasif Dekel found that to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent ‘vCard’ contact card, containing malicious code. Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs) and other types of malicious code.
“To target an individual, all an attacker needs is the phone number associated with the account,” he explained in an analysis.
The ramifications could be extensive: In September 2015, WhatsApp announced they had reached 900 million active users a month, and at least 200 million are estimated to use the WhatsApp Web interface.
WhatsApp has verified and acknowledged the security issue and has developed a fix for web clients, so users should update their WhatsApp Web software immediately to ensure they are protected. All versions of WhatsApp Web after v0.1.4481 contain the fix for the vulnerability.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client” said Oded Vanunu, security research group manager at Check Point, in an email. “We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”