WhatsApp Bug Leaves 200 Million Users Vulnerable to Malware

Security researchers have discovered that the web version of WhatsApp suffers from vulnerabilities that leave users’ security and devices ‘significantly’ compromised.

Researchers from security firm Check Point warned that WhatsApp Webb, the browser version of the popular message service WhatsApp has a “significant vulnerability”. This vulnerability, if exploited, could allow malicious hackers to insert malware into the target’s computer, BBC reports.

WhatsApp Web is a web client that enables users to access the messaging service like they would on their phone. Actions such as receiving and sending messages, opening shared images, videos and audio files along with location tags and more, via the browser, are possible.

Related Article: 2015 Privacy Ratings: Apple Lauded, WhatsApp Slammed

In a recent announcement, WhatsApp claimed that it had reached 900 million active users in a single month. It also noted that 200 million of those users also access WhatsApp Web.

The Malware

Check Point researchers looking into the vulnerability revealed that the exploit used by attackers could allow hackers to distribute malicious code.

The vulnerability is open to malware such as ransomware, bots, remote access tools (RATs) for a total system compromise and more.

Significantly, the only thing needed by an attacker to target an individual is the phone number associated with the WhatsApp account. With this, an innocent vCard (contact card) that is laced with malware is sent to the unsuspecting user. When the vCard is opened, it triggers an executable file that proceeds to download malware onto the computer.

The vulnerability affects all versions of WhatsApp web up to 0.1.4481.

The Quick Fix

Upon being notified of the massive security issue, WhatsApp immediately acknowledged Check Point’s concerns and started rolling out an update containing the patch on 27 August. Presently, all versions of WhatsApp after v0.1.4481 include the fix that fixes the vulnerability.

Oded Vanunu, security research group manager at Check Point, wrote in a blog post, saying:

“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.

“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”