WhatsApp Web for months has been exposed to a very serious security vulnerability that has made it possible to attackers to take full control of a system remotely.
The Israeli security firm Check Point discovered a critical vulnerability of WhatsApp Web that might put at risk the 200 million users of the service. Exploiting a flaw in the system of sending vCard, the attacker can easily execute arbitrary code remotely and potentially acquire full control of the target system. The vulnerability has already been corrected, but the service has been exposed since its debut to possible hack remotely.
WhatsApp Web is performed by web browsers and could be violated simply by sending a vCard suitably manipulated to contain malicious code. If the vCard had been opened on the web-app the attacker could execute code contained on the system in use by the victim. WhatsApp Web could be used to convey many types of malware, such as ransomware, bots and even remote access tools (RATs).
Carry out the attack was simple: ” To exploit the exploit, everything he needed the aggressor is a telephone number associated with the account, ” says Check Point. WhatsApp allows you to send and receive several kinds of files: photos, videos, voice messages and also share your location and contact cards. Unlike e-mail attachments, which we approach with making more cautious, the user opens WhatsApp usually shared files ” without thinking twice, ” says the company.
The vulnerability is caused by an inadequate filtering of contact cards sent with the famous vCard format. The attacker can inject a command file attributes vCard separated by ” & “. When the vCard is opened, Windows tries to run all the lines of code present, including those injected. By clicking on the contact card manipulated the system downloads files on your PC that runs automatically on your computer, said CheckPoint, specifying that the file could also be an executable.
WhatsApp did not provide a check on the vCard format or content of the file, allowing an attacker to exploit the vulnerability by sending naive even .exe file. The Israeli company announced the existence of the flaw on 27 August, and the company of Jan Koum responded in a prompt warning: ” WhatsApp has verified and confirmed the security issue and has developed a fix for the client web around the world, ” he writes Check Point.
The company Koum has included the fix version WhatsApp Web V0.1.44781, so it is advisable to use this release or those that will be released in the future to avoid tampering in the system.