Significant vulnerabilities can exploit WhatsApp Web, the web-based extension of the popular WhatsApp application for phones.
The exploit can allow attackers to trick victims into executing malware on their machines in a new, sophisticated way.
Check Point security researcher Kasif Dekel found that to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code. Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs), and other types of malicious code.
To target an individual, all an attacker needs is the phone number associated with the account. WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application, including images, videos, audio files, locations and contact cards.
In September 2015, WhatsApp announced they had reached 900 million active users a month, and at least 200M are estimated to use the WhatsApp Web interface. WhatsApp Web mirrors all messages sent and received (includes images, videos, audio files, locations and contact cards), and fully synchronizes users’ phones and desktop computers so that users can see all messages on both devices.
WhatsApp has verified and acknowledged the security issue and has developed a fix. This started rolling out on August 27th 2015, however users should update their WhatsApp Web software immediately to ensure they are protected.
All versions of WhatsApp Web after v0.1.4481 contain the fix for the vulnerability.