Tech

WhatsApp vCard vulnerabilities exposes millions of users

Security flaws within the WhatsApp application had the potential to trick users into executing arbitrary code on their systems.

Written by Charlie Osborne, Contributing Writer Sept. 9, 2015 at 4:08 a.m. PT

Severe vulnerabilities within the WhatsApp mobile application which tricked users into executing malicious, arbitrary code has been patched.

Researchers from security firm Check Point explained the security issues in detail on Tuesday. In a blog post, the team said Whatsapp Web is at fault, and "significant" vulnerabilities discovered by Check Point researcher Kasif Dekel can trick victims into executing arbitrary code.

WhatApp Web is an extension of the WhatsApp application on your mobile device. The web application mirrors messages both sent and received by users, synchronizing any linked devices you own so messages can be viewed across all devices. Available on all major mobile operation systems including Android and iOS, the interface is used by approximately 200 million users worldwide.

The vulnerabilities lie within the "improper" filtering of contact cards such as vCards -- a format often used for electronic business cards -- and a lack of validation when it comes to vCard formats or file contents. By intercepting XMPP requests sent to WhatsApp servers, the researcher was able to alter file extensions in order to send batch files containing malicious code instead of legitimate content.

Featured

Check Point says the security problems within WhatApp Web only require attackers to send a user a vCard which appears innocent. If laden with malicious code, once opened the vCard contact is revealed to be an executable file which "further compromises computers by distributing bots, ransomware, RATs, and other malware," according to Dekel.

As long as an attacker has the phone number associated with the victim's account, this problem can be exploited.

The firm says WhatsApp has verified the vulnerabilities exist and have deployed a fix for clients. After disclosure to WhatsApp on August 21, the patch was rolled out in WhatsApp versions beyond 0.1.4481, which also blocked features which could leave users vulnerable.

"Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client," said Oded Vanunu, Security Research Group Manager at Check Point.

"We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices."

To make sure you are not affected, you should immediately up date the WhatsApp application to its latest version.