200 Million WhatsApp Users Vulnerable to vCard Vulnerability
WhatsApp recently claimed to have hit 900 Million monthly active users, but a dangerous security flaw in the web version of the popular instant messaging app puts up to 200 Million of its users at risk.

Yes, the web-based extension of WhatsApp is vulnerable to an exploit that could allow hackers to trick users into downloading malware on their computers in a new and more sophisticated way.

WhatsApp made its web client, WhatsApp Web, available to iPhone users just last month, after first rolling out its web-based instant messaging service for Android, Windows and BlackBerry Phone earlier in the year.

Similar to Facebook Messenger, WhatsApp Web is an effective way to experience the mobile app in a web browser, allowing you to view all of the conversations you have made with your friends – including images, audio files, videos, GPS location and contact cards – straight on your PCs.

However, a security flaw discovered by Check Point's security researcher Kasif Dekel could allow hackers to compromise your machines by distributing malware including:
  • Remote Access Tools (RATs) – Give hackers remote access to the victim's PC
  • Ransomware – Forces victims to pay a ransom in order to regain access to their systems and personal data
  • Bots – Cause the machines to slow down to a crawl
  • Other malicious software

Here's How the WhatsApp Exploit Works

In order to exploit the vulnerability, all an attacker needs is to send a seemingly innocent vCard contact card containing a malicious code to a WhatsApp user, and, of course, the target's phone number.
"To target an individual, all an attacker needs is the phone number associated with the [WhatsApp] account," Oded Vanunu from Check Point wrote in a blog post on Tuesday.
According to the researcher, it is easy for anyone to create and send a .BAT file as a legit vCard that looks like any other message from a friend, but actually triggers a malicious code when clicked.

Once the vCard is opened in WhatsApp Web, the executable malicious code in the card runs on the target machine, further leaving the infected machine open to other attacks that could:
  • Take complete control over the target machine
  • Monitor user's activities
  • Use the target machine to spread viruses
The WhatsApp security team has verified and acknowledged the vulnerability and has rolled out an update to fix the issue in its web clients.

The flaw affects all versions of WhatsApp before V0.1.4481. So, users are advised to make sure that they are running the fully updated version of WhatsApp.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.