Users urged to update WhatsApp Web to shut down vCard vulnerability

The web-based extension of the popular WhatsApp application is vulnerable to an exploit that would allow attackers to trick victims into executing malware on their machines in a new, sophisticated way.

That's according to Check Point security researcher Kasif Dekel who found that to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code.  Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs), and other types of malicious code.

The vulnerability applies to all versions of the app before version 0.1.4481.

To target an individual, all the attacker needs is their phone number. WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application, including images, videos, audio files, locations and contact cards.

WhatsApp claims to have 900 million active users of which 200 million use the WhatsApp Web interface. WhatsApp Web mirrors all messages sent and received (which includes images, videos, audio files, locations and contact cards), and fully synchronises users' phones and desktop computers so that users can see all messages on both devices.  

“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” said Oded Vanunu, security research group manager at Check Point.  “We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”