Hey people! In order to make sure you are protected, update your WhatsApp Web right now.
Kasif Dekel, a security researcher at Check Point, discovered significant vulnerabilities that exploit the WhatsApp Web logic, allowing attackers to trick victims into executing arbitrary code on their machines .
“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares,” the researchers wrote in a blog.
As per the researcher, in order to target an individual, the attacker needs is the phone number associated with the WhatsApp account.
According to Kasif, WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
While doing the research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
The researcher said that they were surprised to find that WhatsApp failed to perform any validation on the vCard format or the contents of the file, and when they crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory.
WhatsApp verified and have deployed deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.