Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities In WhatsApp Web Affect Millions of Users Globally

Posted by timothy on from the and-what's-your-phone-number? dept.

An anonymous reader writes with an alert for anyone who uses the WhatsApp Web application. Check Point researcher Kasif Dekel, according to NetSecurity.Org, has discovered that "to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code." When this card is opened from within the app, the executable it contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code." Not all users need to panic about this vulnerability, though: the company has rolled out a fix, contained in all versions of WhatsApp Web after v0.1.4481. But with an estimated 200 million users of the web-based version, many users aren't yet using the updated version.

67 comments

  1. Relevancy? by Anonymous Coward · · Score: 1, Interesting

    What's "WhatsApp" and why do we care?

    Amusingly, my 'captcha' today is the word "stupid".

    1. Re:Relevancy? by Anonymous Coward · · Score: 2, Informative

      It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a billion dollars.

      I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.

    2. Re:Relevancy? by danbob999 · · Score: 1

      You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.

    3. Re:Relevancy? by Anonymous Coward · · Score: 1

      Several years ago it was a great alternative here in Italy to SMSes, which cost around €0.10 each to send for those of us who had pay as you go phones. Everyone switched to WhatsApp to message instead and it blew up that way. It wasn't just Italy, but all of Europe.

      Looking at it from an American perspective, it's hard to understand why it's as big as it is.

    4. Re:Relevancy? by alex67500 · · Score: 1

      It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a stupid 19 billion dollars.

      I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.

    5. Re:Relevancy? by danbob999 · · Score: 1

      You could have used anything else instead. Why a proprietary, non-standard solution?

    6. Re:Relevancy? by gstoddart · · Score: 1

      It boggled my mind that the people who run such corporations and are in charge of the initial IPO scam are fucking stupid enough to pay that kind of money for corporations with no assets or revenue.

      This is idiotic people running corporations thinking they have unlimited pretend money.

      How is it that shareholders and analysts aren't looking at crap like this and asking how this could possibly be valued at these levels?

      Oh, that's right, the big institutional investors who help do this shit know they'll just pawn it off on everybody else and siphon their billions out and leave everybody else holding the bag.

      I swear, when I see corporations making transactions like this I'm forced to assume your average C-level executive is a fucking moron.

      --
      Lost at C:>. Found at C.
    7. Re:Relevancy? by fisted · · Score: 1

      Because alas, people don't care about that. If it's "easy", "free" and "works", they'll go for it. I guess whatsapp was among the first smartphone "apps" that delivered on all three points (in their respective quotation marks), and then it was simply a matter of inertia and network effect.

      Yes, it's shit, but no, there's nothing one can do about it.

      I arranged myself around it with bitlbee (linked against libpurple (for which a plugin exists that speaks the whapsapp protocol)).

      --
      CLI paste? paste.pr0.tips!
    8. Re:Relevancy? by danbob999 · · Score: 1

      Whatsapp will die soon one way or another. There isn't any closed, proprietary communication protocol that survived the years (think about phone, email, telegraph, they are all open standards). The sooner the better. The whole point of these protocols is to have total reachability. If there are dozens of competing, closed messaging apps, it will suck as none of them will allow to contact everyone.

    9. Re:Relevancy? by Anonymous Coward · · Score: 0

      I always thought it was just a free alternative to SMS.

    10. Re:Relevancy? by fisted · · Score: 1

      Yeah. No need to explain this to me, I fully agree on the matter. I'm just realistic enough to realize it ain't gonna happen.

      Phone, email and telegraph were actual innovations, and people went for them for a lack of alternatives, so that comparison doesn't really hold.

      --
      CLI paste? paste.pr0.tips!
    11. Re: Relevancy? by Anonymous Coward · · Score: 0

      It's used by a ton of people. It allows texting conveniently from phone number to phone number internationally without international rates as well as VOIP.

      It may be more popular in small regions with dense in countries like europe.

      Tons of people use it thoguh. When I visited Japan and Germany almost everyone had it.

    12. Re:Relevancy? by IamTheRealMike · · Score: 2

      It's that thing the entire world outside of the USA and parts of Asia use instead of SMS.

    13. Re:Relevancy? by piojo · · Score: 1

      You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.

      Where they really succeeded was the UI/UX. It's a chap app with auto-generated accounts and no user-visible authentication (this means you don't need to log on). In general, its UI is exactly the same as SMS, which is very well suited to a phone.

      --
      A cat can't teach a dog to bark.
    14. Re:Relevancy? by piojo · · Score: 1

      *chat app

      --
      A cat can't teach a dog to bark.
    15. Re:Relevancy? by alex67500 · · Score: 1

      C-Level requires you to be a C... to get there, maybe? ;-)

  2. Visibility of version number by Anonymous Coward · · Score: 0

    How can I find out what version of whatsapp web I'm running? I can't see the version number on the UI anywhere.

    1. Re:Visibility of version number by Khyber · · Score: 1

      The fact the version number starts with V-ZERO tells me this is a product not even ready for public usage.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    2. Re:Visibility of version number by jrumney · · Score: 1

      If you are running the vulnerable version there is a green banner in the sidebar with a saying an update is available.

  3. More shitware ... by gstoddart · · Score: 1, Insightful

    Not even sure what this is, but this might explain why I've started seeing spam messages telling me What's App sent me a message.

    I have no idea what this app is, and I don't care ... I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads. I'm sure it pretends to do something useful to, like they all do. But all these apps and social media crap are really about two things: collecting your data and delivering ads.

    And in all likelihood will be full of security holes, untrustworthy in terms of a privacy policy, and just as likely to get hacked on their server side as anything.

    Yawn, wake me up with the golf rush of this shit has ended. This is why I have no interest in this crap ... because time and time again it proves itself to be broken, insecure, and run by shady people who only care about their profits.

    Sorry, but that's not something I'm interested in. The only way to win is to not even play.

    --
    Lost at C:>. Found at C.
    1. Re:More shitware ... by Anonymous Coward · · Score: 0

      ...because time and time again it proves itself to be broken, insecure, and run by shady people who only care about their profits.

      I thought you were talking about slashdot there...

    2. Re:More shitware ... by c · · Score: 1

      Yawn, wake me up with the golf rush of this shit has ended.

      I think you meant "gold rush", but damned if "golf rush" isn't a more apt description of this rash of venture-capital funded app companies...

      --
      Log in or piss off.
    3. Re:More shitware ... by gstoddart · · Score: 1

      LOL .. that's possibly the best typo I'll make all wookie.

      --
      Lost at C:>. Found at C.
    4. Re:More shitware ... by mlts · · Score: 1

      To me, the app has no purpose. Another communications medium for tracking behavior, taking people's messages, storing them indefinitely, and allowing virtually anyone access as per the TOS? No thanks.

      There are so many mail/messaging protocols out there. Enterprise? Skype for Business/Lync. Old school? IRC and USENET. Common chat? SMS, MMS, XMPP. Wanting to blab to the public about how many coils pinched off in the morning? Web page. Then, there is always Facebook.

      Using another messenger just makes no sense. This is why I don't bother with stuff like whatsapp and kik. Apps like that don't have the vetting of the EFF, so why bother? If they are not secure like Silent Circle's stuff, extremely popular like FB's messenger or SMS, or built on an open protocol like IRC or XMPP, a messenger app just isn't worth the time to bother with.

      Then, there is the definition of secure messaging. If I need enterprise security (think BitLocker), I use Skype or Lync. If I need personal security (think TrueCrypt or VeraCrypt), then I use Wickr, PGP, or a combination of the two.

    5. Re:More shitware ... by radarskiy · · Score: 1

      "I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads"

      One of the notable points about WhatsApp is that there are no ads: the user pays for it.

  4. Just saying... by Flavianoep · · Score: 2

    Whatsapp is quite popular in Brazil. Just saying...

    --
    Linux is for people who don't mind RTFM.
    1. Re:Just saying... by Anonymous Coward · · Score: 0

      how utterly AWFUL for them!

    2. Re:Just saying... by Anonymous Coward · · Score: 0

      Exactly - what's 200 million out of a Brazillian users ?

    3. Re:Just saying... by laie_techie · · Score: 1

      Whatsapp is quite popular in Brazil. Just saying...

      It costs me 30 cents a minute to call a Brazilian cell phone (my wife's from there and we like talking with her family). WhatsApp is free the first year and about a buck per subsequent year. It is a convenient option for my wife.

  5. Bug still in Web interface? by ripvlan · · Score: 2

    How can 200 million be affected by the web interface? I don't know what WhatsApp is (heard of it - never used it) I assume that "web" means web-server...and I thought that the power of the web was all clients are using the latest and greatest version all of the time.

    To upgrade 200 million users - wouldn't I upgrade the web-server?

    The article didn't get into the product design.

    1. Re:Bug still in Web interface? by MobyDisk · · Score: 2

      The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.

      When this card is opened from within the app...

      There's an app. It's vulnerable.

      Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the application. So it allows local vulnerabilities to become remote vulnerabilities.

    2. Re:Bug still in Web interface? by wvmarle · · Score: 1

      What is more surprising:

      many users aren't yet using the updated version.

      I always thought that one of the interesting bits of a web app is that when the server updates it, all clients are automatically updated as well, latest when the page is reloaded or the browser is restarted. It seems I'm wrong there. There also doesn't seem to be an (easy) way to check the current version of the app - just checked in Chromium.

    3. Re:Bug still in Web interface? by wvmarle · · Score: 1

      A too easy way to escape the sandbox of the browser. So this is a browser issue as well, allowing a web app to call external programs and run them with arbitrary data as input outside the sandbox the regular app is (supposed to be) running in.

    4. Re:Bug still in Web interface? by IamTheRealMike · · Score: 2

      WhatsApp is one of the worlds most popular chat networks. It has nearly a billion users globally and dominates mobile chat/SMS replacement everywhere outside of the USA and China (possibly Japan).

      WhatsApp has a very interesting security design. It uses end to end encryption for messages (at least between some clients). As a result the web (really: desktop) version can't work in the way most normal web apps work. What it actually does is build a connection to your actual phone and remotely controls it. If your phone is off you can't use the web version. The reason is; only the phone has the encryption keys. WhatsApp doesn't provide message backups etc for this sort of reason also.

      I don't know why the web app has a user-triggered update process, but it would not surprise me if it's related to that: for instance, the web app checks digital signatures on the new version before re-caching it locally.

    5. Re:Bug still in Web interface? by hackertourist · · Score: 1

      So I still can't use Whatsapp without a smartphone? That's annoying.

  6. Sigh by jbmartin6 · · Score: 1

    More and more I believe in the conclusion that the only real defense is to just not have the feature/app/whatever

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Sigh by geekmux · · Score: 1

      More and more I believe in the conclusion that the only real defense is to just not have the feature/app/whatever

      No, feel free to use and abuse these apps all you want.

      That said, just don't believe a single word advertised about their security, since it will be proven in a matter of weeks or months that it was never a serious consideration.

  7. Web page refresh by wimconradie · · Score: 1

    How can a web version not be rolled out to most people? If you refresh your web page it is updated - done. As the patch was released more than 10 days ago, surely most people had to refresh somewhere. Feels like just another sensational article to me...

    1. Re: Web page refresh by Anonymous Coward · · Score: 0

      But swishdashers brag all the time about keeping 300 tabs open for 9 months straight. Surely this is a normal use case.

    2. Re: Web page refresh by wimconradie · · Score: 1

      Great use case :) I actually also know somebody like that. Regardless of this though I am still quite sure with an issue like this, the devs at whatsapp would have simply cleared all the sessions, forcing all browsers to refresh without most people even realising it.

  8. New here? by Anonymous Coward · · Score: 0

    Not all users need to panic about this vulnerability, though: the company has rolled out a fix

    Wait a second; what's the point of a vulnerability news article if it isn't to promote wild conjecture and attempt to insight panic?

  9. No sources by campuscodi · · Score: 1

    The article referenced has a hear-say status. The Check Point blog has no entry on this vulnerability. Doesn't that sound curious at all? A InfoSec company not promoting the s%^& out of itself?

    1. Re:No sources by jrumney · · Score: 1

      Here is the Checkpoint blog entry on the vulnerability. The vulnerability is real, I got an unsolicited message last week with a "vcard" attached, but since it was unsolicited and not from someone I know, I deleted the conversation and blocked the user without looking at it. Now I'm wishing that I'd at least kept a record of who it was from so I can figure out who was doing the spearphishing.

  10. Re:Who really uses WhatsApp by Gaygirlie · · Score: 2

    There are no good alternatives, though. XMPP, for example, is a huge effing mess and doesn't even properly support modern features. As an example, I have been trying to set up an XMPP-server of my own and for some reason Pidgin-users can transfer files to other Pidgin-users and Conversations (an Android-based XMPP-client) users can send files to other Conversations-users, but Pidgin-to-Conversations or Conversations-to-Pidgin doesn't work. All the things related to file-transfers and such are afterthoughts so it's no wonder, even; it was originally just meant for text-based chatting and that shines through everywhere.

  11. BBM stands alone by Rigel47 · · Score: 2

    As does BB10 OS in not having any of these ridiculous vulnerabilities.

    I guess it's true, people really just don't care about security. Every week is an announcement of some massive hole in Androis, iOS, etc, and yet nobody considers moving to a free, secure, and feature-rich platform like BlackBerry.

    1. Re:BBM stands alone by wvmarle · · Score: 1

      This has nothing to do with Android or iOS. It's the web app, not the mobile phone app. And of course there's no issue for BB. It's just like *BSD. No-one uses it, so no-one targets it. Security by obscurity.

    2. Re:BBM stands alone by Rigel47 · · Score: 1

      Right.. which is why pretty much every head of state uses a BlackBerry.. because nobody will bother trying to hack that platform.

    3. Re:BBM stands alone by Anonymous Coward · · Score: 0

      [...] Security by obscurity.

      Security by obsolescence.

      The PDP-11, VAX/VMS, OS/2, and Commodore Amiga haven't had a major security vulnerability in the past two decades either.

  12. Re:Who really uses WhatsApp by danbob999 · · Score: 1

    Ever thought about sending your file by email? Why would we need a proprietary, non-standard communication protocol?

  13. Re:Who really uses WhatsApp by Gaygirlie · · Score: 1

    XMPP is not a proprietary protocol. Also, attaching images, sound-clips and short video-clips is a pretty common way of adding flavour to a conversation. E-mail is not an on-going live conversation, it's not comparable.

  14. 200M People Use The Web Version? by Anonymous Coward · · Score: 0

    I suspect it's not that 200million people are vulnerable to this attack, but that 200million people have versions of WhatsApp installed that would be vulnerable if they were to use the web version. However, of those 200million people I would imagine only about five actually use the web version, which makes this vulnerability pretty insignificant.

    The reason nobody would use the web version is because it's dreadful. You have to use your phone to scan a QR code off the monitor and then leave your phone connected while you send messages via your PC. It would be useful if you could use WhatsApp from your PC without having to use your phone to log in and stay connected, but unfortunately that's not the way it works.

    Since you have to get your phone out, start up WhatsApp, scan a QR code and leave the phone connected, you may as well just send the messages from your phone as well. Overall it's less hassle than using the web client.

  15. Re:Who really uses WhatsApp by danbob999 · · Score: 1

    of course XMPP isn't. WhatsApp is.

  16. Re:Who really uses WhatsApp by tompaulco · · Score: 1

    XMPP is not a proprietary protocol. Also, attaching images, sound-clips and short video-clips is a pretty common way of adding flavour to a conversation. E-mail is not an on-going live conversation, it's not comparable.

    Adding images, sound-clips and short video-clips sounds like a pretty common way to annoy who you are talking to. I hate instant message programs. They are a productivity killer. I see other people dropping what they are doing and instantly switching over to see what the latest "Ding!" was about. You might as well send me an e-mail because I will get to it when I have a moment, not immediately. If you require my 100% focus, arrange a meeting.

    --
    If you are not allowed to question your government then the government has answered your question.
  17. Obligatory by JustAnotherOldGuy · · Score: 0

    A shit-written app for social-media numpties has a glaring vulnerability?? Geez, who coulda seen that coming??

    Obligatory: I'm shocked, SHOCKED I TELL YOU!!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  18. No confidence. by AndyKron · · Score: 1

    I got the window open and I'm about to chuck my computer out of it.

  19. Re:Who really uses WhatsApp by Gaygirlie · · Score: 1

    Then you're clearly not the target audience here and your ranting is irrelevant.

  20. Re:Who really uses WhatsApp by Gaygirlie · · Score: 1

    I was talking about XMPP. Whatsapp at least handles all those more modern conversational features well and coherently, XMPP doesn't, and I am not aware of any other good open-source alternatives either. It's useless to rant about proprietary protocols when the available open-source protocols are so bad that no one would want to use them.

  21. Re:Who really uses WhatsApp by Khyber · · Score: 1

    " As an example, I have been trying to set up an XMPP-server of my own and for some reason Pidgin-users can transfer files to other Pidgin-users and Conversations (an Android-based XMPP-client) users can send files to other Conversations-users, but Pidgin-to-Conversations or Conversations-to-Pidgin doesn't work."

    That's because Pidgin is a piece of shit multi-client, even file transfers between Pidgin-Pidgin over Yahoo or AIM networks fail all the time. XMPP works just fine, it's fucking Pidgin.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  22. Leave well enough alone proclaimed Darwin by Anonymous Coward · · Score: 0

    They will be consumed as prey. Good for the rest of the herd.

  23. Re:Who really uses WhatsApp by danbob999 · · Score: 1

    Whatsapp is so bad that it works with phone numbers. Therefore it is so bad that I don't see why anyone would want to use it.

  24. Re:Who really uses WhatsApp by Gaygirlie · · Score: 1

    I don't see

    Yes, that much is obvious at this point.

  25. Re:Who really uses WhatsApp by Anonymous Coward · · Score: 0

    Your example of a conversational feature not handled well by XMPP but handled well by WhatsApp was "transferring files." This example is either irrelevant (no call to transfer files over chat in general, easy alternative of emailing files since xmpp addresses are email-shaped), or outright false (WhatsApp can't transfer files, can it? I thought it was single-endpoint-per-user, which must be a phone). Please come up with another example. I'm not saying there isn't one, just that you are muddle-headed and contributing noise.

  26. How racist by Anonymous Coward · · Score: 0

    This doesn't help normal people, only those white insurgents.

    1. Re:How racist by Anonymous Coward · · Score: 0

      Exactly. Most people don't need sunscreen. Only the genetically inferior need it.

  27. WhatsApp :: cross-platform mobile messaging app by nickweller · · Score: 1

    "When this card is opened from within the app, the executable is contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code."'

    What platforms can this 'ransomware' run on to further compromise the device?

  28. Please turn out the lights by Anonymous Coward · · Score: 0

    Attention last BlackBerry user!!!
    Attention last BlackBerry user!!!
     
    Please turn out the lights when you exit the building.
     
    Thank you!
     
    --- The Management