LONDON: Security experts have discovered a flaw in Facebook-owned messaging app WhatsApp which allows malicious actors to hack users’ computers by disguising malware as perfectly innocent contact cards and other files.
The problem lies in the web version of WhatsApp failing to properly verify vCard files, according to research firm Check Point, which discovered the flaw. vCards are digital business cards commonly sent via text message.
Check Point discovered it was able to change the file extension of a vCard, which ends in “.vcf”, to “.exe” (executable file) or “.bat” (batch file) without WhatsApp noticing. That means a hacker can disguise malicious code as an innocent looking contact card.
Worse still is that hackers could also change the icon of the malicious file to further trick the victim into downloading it.
Advertisement
“Once such a contact is created, all an attacker has to do is share it via the normal WhatsApp client,” Check Point wrote on its blog.
A malicious vCard could attack a victim’s computer with bots (which gives a hacker control of your computer, enabling it to be used to launch cyber attacks), ransomware (which locks your computer until you pay a ransom), remote administrative tools (which enables a hacker to spy on you remotely), and other nasties.
Check Point said it was “surprised” WhatsApp had failed to perform any validation on the vCard format or file contents.
“When we crafted an exe file into this request, the WhatsApp web client happily let us download the portable executable file in all its glory,” the firm said.
It’s a stark reminder not to download any files from an unverified source.
Check Point said the problem only affected the web version of WhatsApp, which it estimated has around 200 million active users worldwide, based on recent web traffic data.
There are 900 million WhatsApp users all up, according to WhatsApp, but most users were unaffected by the vulnerability as they are only using the mobile version of the app.
