Security researchers have found that WhatsApp Web, the desktop version of the hugely popular messaging app owned by Facebook Inc., has a major security flaw that could allow hackers to infect users' system by simply knowing their phone number -- potentially putting 200 million people at risk.
Researchers at Check Point have found that the desktop version of the messaging app, which mirrors all messages sent and received, and fully synchronizes the user's phone and desktop computer, is putting users at risk by allowing hackers to "trick victims into executing arbitrary code on their machines in a new and sophisticated way." The flaw is related to how WhatsApp handles vCards, which are used to send contact details.
Once a hacker sends a vCard containing malicious code, and it is opened by the victim on WhatsApp Web, the alleged contact is revealed to be an executable file, which further compromises the user's PC by "distributing bots, ransomware, RATs, and other malwares," researcher Kasif Dekel wrote on Check Point's blog.
The scariest part of the attack is how easy it is. "To target an individual, all an attacker needs is the phone number associated with the account," Dekel said. WhatsApp said earlier this year that more than 200 million people were using its web-based extension, which recently expanded support for iPhones having previously supported Android, Windows Phone and BlackBerry devices. The company's mobile app recently crossed the 900 million milestone.
Richard Cassidy from security firm Alert Logic believes WhatsApp's inherently open platform puts it at high risk of such attacks.
“This type of threat against WhatsApp isn’t new in terms of how we see hackers attempt to exploit popular messaging services. Given the inherently open trust model that WhatsApp is built on, such as finding contacts in address books who may be using WhatsApp and sending invites openly to others, in addition to open sharing of files, images, videos and of course vCards; it’s an app that presents a great deal of opportunity for attackers to trick users (for whom they have details for) into opening a seemingly legitimate or interesting file, that could lead to an exploit of the host device. That said the move to a browser-based version of the popular application, means greater security risks are now present that weren’t before on mobile platforms," Cassidy told International Business Times in an email.
WhatsApp has already responded to the alert and has deployed an update to its desktop client and Check Point urges all users to update their software immediately. There are no indications to date that the flaw has been exploited actively in the wild.
Mark James, from security firm ESET, said that the potential risks of someone exploiting this bug are huge -- especially for businesses.
“Ransomware is one of the most destructive forms of malware around currently; it renders local and remote files unusable until the ransom is paid. If this is in a business environment then no one will be able to access those files and in a worst case scenario could cause the whole software infrastructure to fail. Of course, if backups are in place it’s just a matter of time before you are back up and running but if not then remember paying the ransom is only funding criminal activity and should be avoided if possible,” James told IBT in an email.