Check Point discovers a major flaw that puts the security of devices that use WhatsApp Web at risk
WhatsApp Web, the browser version of the popular messaging system, has put the safety of millions of users is at risk due to a bad leak. I talk about it in the past, because the good news is that the problem was (recently) solved. Meanwhile, it is possible that several of the more than 200 million users using the web version have fallen victim to some cybercriminal.
The discovery of the flaw by the Check Point laboratories, and in this case by the researcher Kasif Dekel. Which, after a careful study, realized that a simple virtual business card, a vCard for accuracy, is enough to take possession of a device that uses WhatsApp Web. Understanding the mechanism of this attack gives us a clear idea of ??how, at times, it is very simple to attack a system by making it defy even the most sophisticated security technologies.
Basically, WhatsApp Web allows you to manage on your computer any media received in the smartphone fee. So, if I get a photo on WhatsApp, I can also see it on my computer, thanks to Web set-up. The manageable contents, to be precise, are images, videos, audio files and, precisely, vCard. Now, let's say an attacker gets to know the phone number of a potential victim (easier than you think, if you think that many of us put it in plain sight even on Facebook). He sends her a vCard and the victim opens it without too much trouble.
After all, a business card received from an unknown number, and apparently nothing dangerous. And here comes the discovery of Dekel. Essentially, You can inject an executable code into the virtual business card. In this way, opening the vCard file also starts the malicious file, which acts undisturbed in the computer, completing the target for which it is programmed. This procedure, so simple and straightforward, is possible since WhatsApp does not check that the format of a vCard file is actually of this type. In short, the famous application does not notice that the business card has inside the executable code, and therefore it makes it download without too many worries to the poor user.
It is, undoubtedly, a security flaw as big as a house, but luckily, Check Point was notified to WhatsApp beforehand, so that a correction to the problem was developed. However, the timing is worrying. WhatsApp Web available from August 19th, while the discovery of the vulnerability, promptly communicated to the WhatsApp Security Team, dates back to 21. Only two days later, on August 23rd, the answer arrived and the correction had to wait until August 27th. Instead, today, September 8th, the discovery was publicly announced, but this basically has less importance. What matters most is that, nowadays, six days to stop a leak to the most popular messaging system in the world, boasting over 200 million users, it puts a lot of potential victims at risk. By the way: if you used the app, downloading business cards from strangers in those days, check the PC well with a good antivirus.