A newly found vulnerability in WhatsApp Web, the Web-based interface of the popular instant messaging client, allows attackers to trick users into executing arbitrary code on their computers, a security firm reports. The vulnerability affects more than 200 million people who use WhatsApp Web. WhatsApp has since updated its Web client to patch the bug in the latest version.
The ‘MaliciousCard’ vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a victim’s account, reports security firm Check Point. Once the victim opens the alleged contact, it starts to distribute bots, ransomware, and other malware files.
Since the business contact card looks perfectly legitimate, it is impossible for a user to know if the contact is riddled with malicious code.
The security firm noted that it informed WhatsApp about the vulnerability, and the messaging service issued an update on August 21 that fixes the bug. WhatsApp Web v0.1.4481 or later are not affected with the vulnerability.
The vulnerability lies in the improper filtering of contact cards sent in the vCard format in older versions of WhatsApp. The attacker can inject a command in the name attribute of the vCard file, separated by the ampersand character. Windows would automatically try to run all lines in the code. It is not known whether Mac users are affected by the vulnerability.
WhatsApp fails to validate the vCard format and the contents of the file, the firm further noted. One could send an executable file and WhatsApp wouldn’t be able to flag or block it.
WhatsApp, which is available across multiple platforms, recently announced that it reached 900 million monthly active users. WhatsApp Web, which offers several of the mobile app’s functionalities including the ability to send and receive text and audio notes, is used by more than 200 million users.