WhatsApp Web app vCard vulnerability leaves 200 million users at risk

A security researcher at Check Point has discovered a vulnerability in the WhatsApp Web app. The app -- which allows for WhatsApp messages sent to a phone to be viewed on a desktop computer, as well as syncing data -- can be exploited if a malicious user sends a specially-crafted vCard contact to someone.

A problem with WhatsApp's filtering of the contact card means that it could be used to "trick victims into executing arbitrary code on their machines in a new and sophisticated way". What's particularly worrying about this vulnerability is the fact that all an attacker needs is the phone number associated with a WhatsApp account. With an estimated 200 million WhatsApp Web users, there are a lot of potential victims.

Check Point reported the security issue to WhatsApp on 21 August, and an initial fix materialized just six days later. Now the security company is advising anyone who uses WhatsApp Web to update to the latest version of the app in which the feature has been blocked. Detailing the findings of researcher Kasif Dekel, Check Point says that until the problem is fixed:

All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.

While a patch has now been issued, what is concerning about this vulnerability is the ease with which it can be exploited -- along with the consideration that many people may not immediately update their software. Without the need for any special hacking tools, all manner of malicious code could be run on a victim's computer, including downloading dangerous executables. Check Point applauded WhatsApp for addressing the problem so quickly, and reiterated the importance of users updating to at least version v0.1.4481 of the software.