WhatsApp Web bug could have affected 200m users

9 Sep 2015

A potentially harmful vulnerability in WhatsApp’s desktop-based messaging platform has been discovered, which could have put 200m of its users in harm’s way, all with a simple vCard.

The version that works on a person’s desktop computer, WhatsApp Web, mirrors the user’s WhatsApp app on their phone, but it cannot work independently if the phone is offline.

While still not as popular as the phone-based version, nearly 200m of WhatsApp’s 1bn-plus users have connected to it, at least on a few occasions.

Now, according to security firm Check Point, a simple malicious phishing code made WhatsApp Web dangerous if that code was opened.

The vulnerability lay in WhatsApp Web’s ability to handle vCards, the virtual business card format that can be sent from one phone to another.

The hacker would find a way to use the number of someone within the person’s contact list, all that was needed then was to create a scenario where they would send the vCard and, once opened, the virus would enter the system.

WhatsApp Web hack

The Check Point team’s demonstration of how the hack would appear. Image via Check Point

To make matters worse, the Check Point researcher who discovered the flaw showed that once someone had access to the code, “no XMPP interception or crafting is needed for this attack, since any user can create such a contact with an injected payload on their phones”.

In effect, this means it would be very easy for someone with limited hacking knowledge to send the phishing scam to a person’s phone.

Check Point first became aware of the bug last month, and made the Facebook-owned service aware of the vulnerability on 21 August, and the issue has since patched the issue.

“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” said Oded Vanunu, security research group manager at Check Point.

“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner.”

WhatsApp on desktop image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic