An Israeli firm has discovered a security flaw in WhatsApp Web, the web client for the messaging platform WhatsApp, that exposes some 200 million users to the risk of having their computers hacked or hijacked.
Check Point Software Technologies says in a blog post that cyber-criminals can easily exploit a security hole in WhatsApp Web by disguising executable files, such as ransomware and random access tools, as digital contact cards and sending them to random WhatsApp users.
Once users open the disguised malware, the files immediately execute themselves and lodge themselves into the system. Attackers can make use of the security hole, first uncovered by Check Point security researcher Kasif Dekel, to lock the system down and only offer to unlock it once the user agrees to pay a certain amount of money, or gain full access to a system and its contents.
"The vulnerability lies in improper filtering of contact cards, sent utilizing the popular vCard format," says Check Point. "During Kasif's research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. He first changed the file extension to .BAT, which indicates a Windows batch (executable script) file."
Because the WhatsApp web client cannot differentiate between a real vCard and malware simply disguised as one of these business cards, the system lets the malware pass, and most users do not know any better than to click the executable file.
The one thing that deters criminals from turning the flaw into a full-blown attack is they need to obtain the numbers of users to be able to send them the flawed vCards, which is not exactly very difficult, given the huge black market for phone numbers.
The good news, however, is that the WhatsApp team at Facebook quickly responded to Check Point's discovery and released a patch to fix the security hole. Users are encouraged to update their WhatsApp web client to ensure they do not become the victims of unscrupulous individuals looking to take advantage of the flaw.
"We applaud WhatsApp for such proper responses and wish more vendors would handle security issues in this professional manner," says Check Point. "Software vendors and service providers should be secured and act in accordance with security best practices."