Security company Check Point has alerted WhatsApp about vulnerabilities in its new Web client and urges users to update their WhatsApp Web now to make sure they are patched and protected.
Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.
To target an individual, all an attacker needs is the phone number associated with the account.
WhatsApp verified and acknowledged the security issue and has deployed the fix in web clients worldwide
Check Point shared its discovery to WhatsApp on 21 August 2015; on 27 August, WhatsApp rolled out the initial fix (in all versions greater than 0.1.4481) and blocked that particular feature.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
The vulnerability lies in improper filtering of contact cards, sent utilising the popular vCard format.
Dekel found that, by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. Once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” says Oded Vanunu, security research group manager at Check Point.