Researcher Kasif Dekel from security firm Check Point has discovered a security flaw in WhatsApp Web, which could affect more than 200 million users. The flaw can be used by hackers to trick users to excute an arbitrary code, by simply sharing a malicious contact file in vCard format. The only thing required by hackers is a user’s registered number on WhatsApp.
To exploit the vulnerability, a hacker needs to share a contact with the malicious code embedded, to the user being attacked. The user will see the contact as a normal contact file, and the moment he will click on it, the file runs an arbitrary code that affects PC with remote access trojans (RATs), ransomware and other types of malware. The firm has posted on its official blog that the vulnerability lies in improper filtering of contact cards, sent as the widely-used vCard format. The post further says that they were surprised to discover that WhatsApp does not validate the vCard format or its contents. Researchers have said that they notified WhatsApp about the issue on August 27, and the company acknowledged and released an initial fix. The fix has been rolled out to WhatsApp Web version 0.1.4481 and above. Users are advised to update their WhatsApp Web to the latest version as soon as they see the notification for the same.
Oden Vanunu, Security Research Group Manager at Check Point said, “Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.”
Since WhatsApp has a large userbase, a large number of people are vulnerable to the threat. Last week, WhatsApp CEO and co-Founder Jan Koum announced that Whatsapp has reached 900 million monthly active users. As estimated by the security firm, there are about 200 million users, who use WhatsApp Web.