WhatsApp, the famous cross-platform messaging App, owned by Facebook Inc. is now facing a big problem.A vulnerability, code-named – MaliciousCard, compromised hundreds of millions of WhatsApp users.
The vulnerability was found by Check Point security researcher Kasif Dekel in the web-based extension of WhatsApp, WhatsApp Web .WhatsApp now have about 900 million active users a month. At least 200M are estimated to use the WhatsApp Web interface.Since WhatsApp Web mirrors all messages sent and received, and fully synchronize your phone and your desktop computer so that users can see all messages on both devices.WhatsApp Web is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones.
How MaliciousCard Attack Your WhatsApp?
In their blog Check Point team describes how MaliciousCard Attack a WhatsApp Web extension.The significant vulnerability which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.To target an individual, all an attacker needs is the phone number associated with the account.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.The vulnerability lies in improper filtering of contact cards, sent utilizing the popular ‘vCard’ format. This is a screenshot for a possible contact vCard sent by a malicious user:
As you can see, this message (contact card) appears legitimate, like any other contact card; most users would click it immediately without giving it a second thought.The implication of this innocent action is downloading a file which can run arbitrary code on the victim’s machine:
Check Point discovered it was able to change the file extension of a vCard, which ends in “.vcf”, to “.exe” (executable file) or “.bat” (batch file) without WhatsApp noticing. This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
Check Point said it was “surprised” WhatsApp had failed to perform any validation on the vCard format or file contents.
“When we crafted an exe file into this request, the WhatsApp web client happily let us download the portable executable file in all its glory,” the firm said.
It’s a stark reminder not to download any files from an unverified source.
Security Research Group Manager at Check Point said that:
Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices