vCard flaw exposes up to 200 million of WhatsApp Web users

Security experts at Check Point security discovered a flaw in WhatsApp Web that could be exploited by attackers to compromise hundreds of millions users,

According to the security firm Check Point a vulnerability in the popular messaging service WhatsApp Web exposes up to 200 million of its users at risk of cyber attack.

WhatsApp Web allows the users of the popular mobile app to access their messages from desktop machines.

An attacker can exploit the flaw in WhatsApp Web, the web-based version of the mobile application, can be exploited by attackers to trick users into executing arbitrary code on their PC.

The security researcher Kasif Dekel from Check Point explained that the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user that opening it in the WhatsApp Web executes the code.

An attacker can inject a command in the attribute “name” of the vCard using the ‘&’ character as a separator. Windows will automatically parse the various attributes composing the vCard trying to execute their content, including the injected command.

“Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.” states Check Point in a blog post.

The exploitation of the flaw could allow crooks to serve various types of malware on the target machine, including RATs and ransomware. The flaw exploits the lack of validation of the contact card sent in the ‘vCard’ format.

“By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,” Dekel added.

The experts highlighted that the attacker just needs to create a contact and inject malicious code in the name attribute directly on the phone, then he needs to send it through the targeted WhatsApp client.

Check Point added that attackers can also use an icon to exploit the flaw and serve malicious binaries.

“But wait, there’s more! Clever attackers can exploit this in more devious scenarios, using the displayed icon to enrich the scam:

This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy “WhatsApp Phishing”. Massive exploitation of this vulnerability could have affected millions of users, failing to realize the malicious nature of the attachment.”

Check Point reported the flaw to WhatsApp at the end of last month and the company promptly fixed it. WhatsApp Web v0.1.4481 and later include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – WhatsApp Web, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.