Security vulnerability means malware can be installed on WhatsApp Web user PCs, Check Point warns
Users of the popular WhatsApp Web service could be at risk of having malware installed on their machines without them knowing, security experts have warned.
Researchers at Check Point have revealed that up to 200 million users of the service, which allows users to receive their WhatsApp messages on their PC, could be at risk.
The exploit, discovered by Check Point security researcher Kasif Dekel, can allow attackers to trick victims into executing malware on their machines in a new, sophisticated way.
In order to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent ‘vCard’ contact card, containing malicious code. Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs), and other types of malicious code.
The flaw is particularly dangerous as all an attacker needs to target someone is the phone number associated with their account.
WhatsApp is advising Web users to update the application immediately to make sure they are protected, with an updated version of the app available now.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client” said Oded Vanunu, security research group manager at Check Point.
“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”
WhatsApp, which recently announced it had passed 900m mobile users, released its web-based service back in January as the company looked to make it easier to type messages and save images and videos, as mobile device often have limited space.
Are you a security expert? Try our quiz!