WhatsApp security bug exposed 200mn users to hackers
WhatsApp, a popular mobile messenger, has already fixed the dangerous flaw in its Web browser extension, called Web app, which was introduced for Android and Windows phones earlier this year and for iPhones last month. The bug, which could compromise a user’s information, was reported on August 21 by Kasif Dekel, a security researcher for Check Point, an Israeli provider of software for IT security.
WhatsApp responded by releasing an upgrade for its current Web client version on August 27, but the public disclosure was made only on Tuesday.
The problem concerned so-called vCards, which is a file format standard for electronic business cards that can be shared among WhatsApp users, along with photos, videos, audios and locations.
“This message appears legitimate, like any other contact card; most users would click on it immediately without having a second thought.
“The implication of this innocent action is downloading a file which can run arbitrary code on the victim’s machine,” Check Points’s report says.
The vulnerability is attributed to an error in filtering electronic business cards in the vCard format.
Once downloaded to a phone, a vCard, could change its format to .bat, or a batch executable script, which could put a user’s personal data in danger.
Hackers would only need the telephone number associated with the account to attack a user.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” the report concluded.