Skip to content ↓ | Skip to navigation ↓

WhatsApp, a popular mobile application with more than 900,000 million active users, has released an update to address several significant vulnerabilities in the app’s web-based extension.

With WhatsApp Web, sent and received messages are fully synced between a user’s phone and computers, giving users the capability to access messages on both devices.

However, Check Point security researcher Kasif Dekel recently revealed various vulnerabilities exploiting the mobile app’s web version, which could potentially allow attackers to trick victims into executing arbitrary code on their devices.

“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code,” wrote Check Point in a blog post.

“Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.”

According to Dekel, attackers would simply need the phone number associated with the account to target a particular individual.

The ‘MaliciousCard’ vulnerability is found present in all versions of the mobile app prior to the latest version – 0.1.4481.

wapp1-1024x495
Source: Check Point

“This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy ‘WhatsApp Phising,’” warned Oded Vanunu, Check Point security researcher.

“Massive exploitation of this vulnerability could have affected millions of users, failing to realize the malicious nature of the attachment,” he said.

Check Point reported the research to WhatsApp late last month, who promptly verified and acknowledged the security issue days later.

The messaging app has now rolled out the initial fix, and has also blocked the particular feature.

“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner,” said Check Point.

“Software vendors and service providers should be secured and act in accordance with security best practices.”