The uber-popular messaging app, purchased by Facebook last January to the tune of 19 billion dollars, boasts over 900 million users and has a highly engaged user base. In fact, after the epic merger, Mark Zuckerberg explained the company’s logic in the purchase saying “WhatsApp is the only app we’ve ever seen with higher engagement than Facebook itself.” Those must be some dedicated 900 million users.
Then earlier this year, WhatsApp released a web version, which mirrors the smartphone version and allows users to send messages to other users regardless of which browser they use. The web app was designed to help users untangle the jumble of messages, images and videos on a larger, more manageable interface. According to company estimates, in the nine months since the web app was launched, more than 200 million people have become engaged users.
On August 21st, a security researcher at Check Point Software Technologies, ZoneAlarm’s parent company, discovered a flaw that could put all of those 200 million web-based users at risk. Researcher Kasif Dekel demonstrated that within the web-based app, vCards (the industry term for electronic contact cards) can be laced with malware.
Armed only with a user’s phone number, an attacker can send an infected vCard to a target who assumes the card is innocent and open it accordingly. Once it has been opened, the malware begins to download to the victim’s computer and can distribute all sorts of nasties like bots, Remote Access Tools (RATs) and Ransomware. The infected vCards are virtually indistinguishable from legitimate vCards, so there is really no way for a target to know that something underhanded is taking place.
In general, messaging apps have mechanisms for filtering content on vCards. These apps know if the information held within the card is malicious or legitimate. If it’s deemed malicious, it won’t allow the vCard to be sent. But as Dekel discovered, there was no such filtering mechanism at work within WhatsApp.
Oded Vanunu, Security Research Group Manager at Check Point, said “We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file.”
And that’s not all. On Check Point’s B2B blog, Vanunu showed how the vulnerability can be exploited even further using emojis to enhance the potency of the malware. Left unfixed, this could have become the perfect set-up for highly targeted spear-phishing attacks using a mix of malicious code and social engineering.
As of now, the vulnerability hasn’t been seen in the wild. In other words, as far as anyone knows, no one has sent such a card to targets. Rather, what Dekel constructed is called a “proof-of-concept” bug, which means that he showed that such an exploit could be executed. If the vulnerability is left without a fix, the results could be catastrophic.
Thankfully, the security team at WhatsApp was quick to address the issue once they were notified of it.
First made aware of the vulnerability on August 21, they rolled out a patch, or a fix, on August 27th. In the world of software patching, that is lightning-fast. Vanunu gave them credit for the speed, saying, “WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients.”
The vulnerability exists on all versions of WhatsApp before version 0.1.4481, and all users are strongly advised to update their WhatsApp client as soon as possible to make sure the fix is put into place.
Considering the amazing programming that goes into clever apps these days, it’s no surprise that vulnerabilities exist. The key to enjoying technology safely is knowing that someone’s got your back (in this case, Check Point), that app developers are on the ball (in this case, WhatsApp’s speedy fix) and keeping your own product up to day (in this case, making sure the version of WhatsApp that you’re using is fixed). Online safety requires security, trust and responsibility. If you’ve got all those things going for you, then you are good to go.
Do you have any tips to staying safe online?