WhatsApp has issued a software update to fix a dangerous security vulnerability in the web-based version of its cross-platform messaging app for smartphones.
The vulnerability in the web version of the WhatsApp used by up to 200 million people could allow hackers to trick users into downloading malware to the PCs, according to security firm Check Point.
The web application mirrors all messages sent and received, synchronising a user’s smartphone and PC so all messages are visible on both devices.
WhatsApp Web is available for most WhatsApp supported platforms, including Android, iOS, Windows Phone 8.x and BlackBerry BB10.
“All an attacker needed to exploit the vulnerability was send a user a seemingly innocent vCard [electronic business card] containing malicious code,” said Oded Vanunu, security research group manager at Check Point.
“Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs [remote access Trojans] and other malware,” he wrote in a blog post.
The vulnerability, discovered by Check Point researcher Kasif Dekel, lies in the improper filtering of electronic business cards in the vCard format.
Dekel found it was possible to change the file extension for a vCard to .bat, or a batch executable script.
This means once the victim clicks the downloaded file – which appears to be a harmless contact card – the code inside the batch file is executed.
An attacker only needs the victim’s phone number to send the malicious code and for the recipient to accept it for the attack to work.
Check Point has urged users to update their WhatsApp web client to version v0.1.4481 immediately.
The security firm disclosed the flaw to Facebook-owned WhatsApp on 21 August 2015 and WhatsApp released an update for Web clients six days later.
Check Point, which waited another 12 days before disclosing the vulnerability publicly, has praised WhatsApp for its quick response.
“We applaud WhatsApp for such proper responses, and wish more suppliers would handle security issues in this professional manner. Software suppliers and service providers should be secured and act in accordance with security best practices,” said Vanunu.
The issue of responsible vulnerability disclosure was highlighted recently by two security researchers who disclosed vulnerabilities in Kaspersky Lab and FireEye products publicly before notifying the two security firms.
While both companies thanked the researchers for finding the vulnerabilities, FireEye said that while it appreciated the efforts of security researchers to find potential security issues and help FireEye improve its products, the company always encourages responsible disclosure.
However, security researcher Kristian Erik Hermansen has taken issue with FireEye for allegedly not responding to his findings sooner.
“What frustrates me is they are all ears now, when they ignored the issues for a long time,” Hermansen is quoted as saying by CSO Online.
“When they implement a bug bounty or security rewards process, I will reply to them. Until then, they get cold silence. They have been giving me lip service about implementing such a program for more than a year. Let them announce it publicly and then I will talk to them again. I’m sure there are lots of other bugs in their products not yet disclosed,” he said.
Hermansen is currently asking $10,000 for each of the four zero-day vulnerabilities he claims to have found.
Independent security consultant Graham Cluley said as a security researcher, Hermansen should realise his actions are bound towards helping users remain safe online.
“The manner in which he has conducted himself since announcing the four zero-day vulnerabilities suggests he is primarily interested in personal gain,” Cluley wrote in a blog post.
“Once again, we see the extent to which human behaviour affects computer security and how poor choices beget insecure consequences for us all.”