Security researchers have found a flaw in WhatsApp’s web interface that puts up to 200 million users at risk.
The vulnerability allows hackers to distribute malware, including ransomware, which demands victims pay a fee to regain access to their systems and data.
It is to be noted that the flaw affects only the web-based version of the service and not the mobile app. WhatsApp had released its web-based service back in January.
According to security firm Check Point, the vulnerability was caused by the way the service handles contacts sent in the vCard (virtual card) format.
Check Point security researcher Kasif Dekel found that to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code. Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs), and other types of malicious code.
To target an individual, all an attacker needs is the phone number associated with the user’s account.
On being informed of the flaw by the Check Point team on August 21, WhatsApp took no time to develop a fix for web clients worldwide, which started rolling out on August 27. All versions of WhatsApp Web after v0.1.4481 contain the fix for the vulnerability.
Check Point has called out users to update their WhatsApp web software immediately and clear their browser cache to ensure that the patch is applied.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” said Oded Vanunu, security research group manager at Check Point.
“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”
Earlier this month, WhatsApp announced it had hit 900 million monthly users.