A potential security flaw has been discovered in WhatsApp Web that could affect 200 million users. WhatsApp, one of the most popular instant messaging platform has recently launched the web version for the desktop users. WhatsApp Web is the Web-based interface of the most widely instant messaging app. A new vulnerability in WhatsApp Web can allow attackers to make the users run arbitrary code on their systems that eventually affects millions of WhatsApp users.
The dangerous security flaw was found by Kasif Dekel, who is a researcher at an Israeli security firm, Check Point. According to a blogpost by the security firm, Check Point, the vulnerability in WhatsApp web can put 200 million users at risk.
vCard Vulnerability Attack
The vulnerability that was discovered by a researcher at the Security firm has the capability to exploit just by simply sending a vCard contact card that contains an executable file (malicious code) to a WhatsApp user. Unknowingly, if the WhatsApp user opens the innocuous looking vCard on the WhatsApp Web, the potential code can run on the victim’s machine. The attacker mainly focused on the WhatsApp users of web version and tricked to distribute malware onto the user’s computer. This harmful malware includes the following:
- Bots: It can cause the machines to slow down to a crawl
- Remote Access Tools (RATs): It provides remote access for the hackers to access the victim’s (WhatsApp user) PC.
- Ransomware: It forces the users of WhatsApp to pay a ransom in order to get complete access over their systems and personal data.
- Other malicious software
If the user runs this executable file on their PC, any of the above given malware could affect the user’s system. The blog post also says that the hackers have number of ways to exploit the security issue. For instance, they can send files naming WhatsApp Emoticons so that some users might get enticed to click on it.
How does the WhatsApp Vulnerability Works?
The attacker sends a vCard contact card to any of the targeted WhatsApp user that contains the malicious code say the phone number. In order to target an individual, the attacker mainly require a phone number which is related to the WhatsApp account. The Security Researcher at Check Point, Dekel found that, it was possible to change the file extension for a vCard to .bat, or a batch executable script. Then, WhatsApp might think that a user is just receiving a vCard, but it is in fact an executable code.
According to the researcher, it is easy for anyone to create and send a .BAT file as a legit vCard that looks like any other message from a friend, but actually triggers a malicious code when clicked.
Generally, the business contact card seems to be perfectly legitimate and it is impossible for a user to know if the contact is honeycombed with malicious code. Once the vCard is opened in WhatsApp Web, the executable malicious code in the card starts running the executable file on the target machine resulting an infected machine. The malicious code can do the following things after attacking the target’s device:
- It can take complete control over the target’s machine.
- Uses the target machine to spread malicious viruses
- It can monitor all the activities of the targeted victim.
Check Point, the security firm said that it has informed WhatsApp regarding the vulnerability. Then, the popular instant messaging service issued an update on August 21 that have the capability to fix the bug. WhatsApp Web v0.1.4481 or later are not affected with the vulnerability. The security flaw affects only the WhatsApp before V0.1.4481 and the users are recommended to run the fully updated version of WhatsApp on their PC.
Oded Vanunu, Security Research Group Manager at Check Point said that, “Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.”
WhatsApp, which is used by millions of users across the globe, recently announced that it reached 900 million monthly active users. The new Web Version of WhatsApp offers numerous functionalities that includes, ability to send and receive text and audio notes. The new WhatsApp Web is used by more than 200 million users.