According to open source data, a fifth of WhatsApp’s billion-strong user base favors the app’s web client. As a matter of fact, the aforementioned version of the service was launched just a short while ago and has already managed to cause a few significant problems.
A couple of days back, representatives of an IT company called Check Point found a big setback within the app’s security system. We are talking about a software bug that creates a loophole for cybercriminals, enabling them to access computers of potential victims. In order to achieve his insidious goal, the hacker simply needs to place the malicious code in the vCard. As soon as the user opens the card, the malicious virus instantaneously contaminates his computer. In order to attack a target, the cybercriminal doesn’t need to know anything besides a telephone number that is linked to a personal account.
Luckily, WhatsApp reps quickly checked out this information and confirmed that there is indeed a vulnerability. Developers didn’t waste a second and decided to rid users of this problem by updating the app with the aforesaid patch.
Note that WhatsApp Web supports the transfer of any kind of media, be it audio, contact cards, video, images and so forth.
As for the current issue, the vulnerability was caused by the fact that text cards were insufficiently filtered.
The appearance of the malicious card is a mirror’s image of the original one, which is exactly why many users didn’t even hesitate to run it on their computers. In the aftermath, the downloaded file initiates a viral code on the victim’s computer.
As for the technical part of the problem, it was discovered that server-bound XMPP queries are subject to interception and extension change. If the extension is changed to .bat, we get the same card, only this time it is packed with a malicious code.
By the way, the evil plan can also be fulfilled by a simple manipulation of the username. All that is required is to write a command next to the name attribute and divide it by the “&” character. Therefore, you don’t even have to know your way around computers and software programs to create harmful cards — they are easily put together on mobile devices.
To recap, if you came across the same difficulties then you should follow developer advice and install the latest software version.