Popular messaging client WhatsApp Web was recently faced with a massive security flaw which allowed hackers to trick people into downloading malicious software. The vulnerability was uncovered by Check Point, an Israeli security firm, who said it could have been used to exploit the 200 million users of the browser-based platform.
WhatsApp Web was informed of the bug in its system on August 21 and a patch was rolled out on August 27 to resolve the issue. The problem lay in its vCard system of exchanging contacts. An attacker could exploit holes in the platform’s security to trick users into carrying out harmful codes in their computers.
A phone number is the only information a hacker needs in this scam. The attacker first sends an ordinary-looking vCard to the potential victim. Once it’s opened, the contact card reveals itself to be an executable file which could potentially spread malwares such as ransomware, bots and RATs.
Also Read: WhatsApp for Web update adds ability to manage chats, groups and profile photo
Since the card looks so authentic, it is impossible to tell if the vCard sent via WhatsApp is harmful. Hackers could easily add a command line containing the malicious software to the file and separate it from the name of the contact by an ampersand character. Windows would then proceed to run all the lines in the code.
The scam was made possible due to a lack of proper filtering procedures in the earlier versions of WhatsApp Web. The company would let vCards get sent without checking if it actually was one. The contents of the contact card were not scanned either. If there was a suspicious executable file hidden in the file, the client was not able to flag or block it.
Check Point notes that all versions of WhatsApp Web greater than 0.1.4481 do not have this security gap. It advised people to make sure they have downloaded the latest update of the platform.