Security researchers from Check Point claim that a flaw in the Web app version of WhatsApp could put as many as 200 million users at risk. The “MaliciousCard” vulnerabilities could enable an attacker to assume complete control of the victim’s PC.
WhatsApp is a messaging platform that works across Android, iOS, Windows Phone, Nokia smartphones, and even BlackBerry. Facebook recently announced that WhatsApp has more than 900 million monthly active users. The Web application is a Web-based extension of the popular mobile messaging platform that mirrors all activity from the mobile app and keeps messages synchronized so that users can see messages sent and received on both devices.
A blog post from Check Point explains:
Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.
There is significant risk here, but there are also mitigating factors that should prevent most users from being affected.
Richard Cassidy, technical director of EMEA for Alert Logic, cautions, “Given the inherently open trust model that WhatsApp is built on, such as finding contacts in address books who may be using WhatsApp and sending invites openly to others, in addition to open sharing of files, images, videos and of course vCards; it’s an app that presents a great deal of opportunity for attackers to trick users (for whom they have details for) into opening a seemingly legitimate or interesting file, that could lead to an exploit of the host device.”
“While the impact of this exploit is quite scary in that an attacker can take full control of a victim’s computer, it does require the target user to be tricked into opening a vCard that they don’t recognize, making it analogous to an email phishing attack,” explained Rob Sobers, director with Varonis. “With the user-base of the web app being so large (200M+), we might see users continue to fall victim until WhatsApp forces users to upgrade to a patched version.”
There is a silver lining, though, as well. TK Keanini, CTO of Lancope, offers this insight and a little advice, “The news here is not the vulnerability but the agility and responsiveness of the application vendor to protect their community of users. This is what responsible disclosure looks like and an example of a software vendor that users can trust to do the right thing (quickly). It is the users’ responsibility is to keep things up to date. If you don’t know if you are up to date, chances are that you are not.”