vCard flaw exposes up to 200 million of WhatsApp Web users

Security experts at Check Point security discovered a flaw in WhatsApp Web that could be exploited by attackers to compromise hundreds of millions users,

According to the security firm Check Point a vulnerability in the popular messaging service WhatsApp Web exposes up to 200 million of its users at risk of cyber attack.

WhatsApp Web allows the users of the popular mobile app to access their messages from desktop machines.

An attacker can exploit the flaw in WhatsApp Web, the web-based version of the mobile application, can be exploited by attackers to trick users into executing arbitrary code on their PC.

The security researcher Kasif Dekel from Check Point explained that the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user that opening it in the WhatsApp Web executes the code.

An attacker can inject a command in the attribute “name” of the vCard using the ‘&’ character as a separator. Windows will automatically parse the various attributes composing the vCard trying to execute their content, including the injected command.

“Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.” states Check Point in a blog post.

The exploitation of the flaw could allow crooks to serve various types of malware on the target machine, including RATs and ransomware. The flaw exploits the lack of validation of the contact card sent in the ‘vCard’ format.

“By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,” Dekel added.

The experts highlighted that the attacker just needs to create a contact and inject malicious code in the name attribute directly on the phone, then he needs to send it through the targeted WhatsApp client.

Check Point added that attackers can also use an icon to exploit the flaw and serve malicious binaries.

“But wait, there’s more! Clever attackers can exploit this in more devious scenarios, using the displayed icon to enrich the scam:

This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy “WhatsApp Phishing”. Massive exploitation of this vulnerability could have affected millions of users, failing to realize the malicious nature of the attachment.”

Check Point reported the flaw to WhatsApp at the end of last month and the company promptly fixed it. WhatsApp Web v0.1.4481 and later include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – WhatsApp Web, hacking)