WhatsApp vulnerability allows hackers to take control of WhatsApp Web user’s machine, install almost anything
Israeli security firm, Check Point has discovered a critical vulnerability in WhatsApp Web, the web-based extension of the WhatsApp mobile application, which can be exploited by attackers to trick users into executing arbitrary code on their machines.
The vulnerability was discovered by Check Point security researcher Kasif Dekel and can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user. As soon as the WhatsApp user opens the innocuous looking vCard on the web extension, WhatsApp Web, the malicious code contained in it can run on the victim’s machine.
Check Point says that this vulnerability is so severe that the potential hacker could distribute any malware, including ransomware, bots, and remote access tools (RATs) by exploiting it.
“To target an individual, all an attacker needs is the phone number associated with the account,” the Check Point blog states,
Whatsapp allows users to download any media that can be sent as an attachment including photos, videos, audio files, locations and contact cards. Attackers can infiltrate the WhatsApp user’s PC by sending a seemingly innocent contact that “most users would click immediately without giving it a second thought,” said Check Point.
The vulnerability is caused due to the improper filtering of contact cards that are sent using the popular ‘vCard’ format.
An attacker can inject a command in the name attribute of the vCard file, separated by the ‘&’ character. Windows automatically tries to run all lines in the file, including the injection line, when the vCard is opened. Clicking on the contact card instantly downloads a file that immediately runs on the computer in use. “By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,” Check Point says.
This attack does not require XMPP interception of crafting, due to the fact that anyone can create such a contact with an injected payload, directly on the phone, Check Point notes. As soon as the contact is ready, the attacker only needs to share it through the WhatsApp client to unsuspicious users. Check Point also explains that WhatsApp fails to validate the vCard format or the contents of the file, and that even an hidden exe file can be sent this way.
Check Point said that it had informed about the vulnerability to the WhatsApp security team and WhatsApp has promptly issued a update on 27th August fixing this vulnerability. “WhatsApp has verified and acknowledged the security issue and has developed a fix for web clients worldwide,” reported Check Point.
WhatsApp Web users should update their software before using it so that the vulnerability is not used against them. WhatsApp Web v0.1.4481 and later include the fix for this vulnerability.