WhatsApp Web Vulnerability Puts 200 Million Users at Risk

WhatsApp Web, the web client of the popular messaging application WhatsApp, contains a vulnerability that could potentially allow malicious hackers to wreak havoc across millions of computers around the world, security researchers warned.

A researcher at Check Point, a cybersecurity firm recently discovered “significant vulnerabilities’ in WhatsApp Web, the Web-based variant of the tremendously popular WhatsApp application used on smartphones.

WhatsApp Web is a service that essentially replicates the WhatsApp mobile app experience within a web browser. The web interface grants users the means to view and respond to text messages, open data including videos, audio, GPS locations and contact cards – on a PC.

WhatsApp Web
The WhatsApp Web Client

WhatsApp claims to have over 900 million active users of which 200 million are also using WhatsApp Web.

WhatsApp Web – a New Gateway for Malware on Your Computer?

WhatsApp_logoAccording to a blog post on CheckPoint, security researcher Kasif Dekel discovered the certain exploits that take advantage of WhatsApp Web’s vulnerabilities, allowing attackers to compromise users’ computers through simple means.

Significantly, the malicious hacker would only need to know the target’s phone number associated with the WhatsApp account.

Here’s how the exploit works:

  • A seemingly innocuous vCard (contact card) is sent to the target. The vCard is riddled with malicious code.
  • Any victims that on the vCard launch an executable file that begins downloading malware onto their computers. It’s that simple.

Researchers digging through the malware discovered all sorts of trouble. The contents of the malware included ransomware, bots, remote access tools (RATS) and other malicious code. The vulnerability affects all versions of WhatsApp before 0.1.4481.

Crisis Averted. The Fix Is Already Here

For their part, WhatsApp quickly took care of the exploit by deploying the fix as an update that started rolling out on August 27. All versions of WhatsApp Web after version 0.1.4481 already contain the fix for the vulnerability.

“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” wrote Oded Vanunu, security research group manager at Check Point.

We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.

Images from Wikimedia, Flickr, and GongTo / Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.