Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities In WhatsApp Web Affect Millions of Users Globally

Posted by timothy on from the and-what's-your-phone-number? dept.

An anonymous reader writes with an alert for anyone who uses the WhatsApp Web application. Check Point researcher Kasif Dekel, according to NetSecurity.Org, has discovered that "to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code." When this card is opened from within the app, the executable it contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code." Not all users need to panic about this vulnerability, though: the company has rolled out a fix, contained in all versions of WhatsApp Web after v0.1.4481. But with an estimated 200 million users of the web-based version, many users aren't yet using the updated version.

8 of 67 comments (clear)

  1. Just saying... by Flavianoep · · Score: 2

    Whatsapp is quite popular in Brazil. Just saying...

    --
    Linux is for people who don't mind RTFM.
  2. Bug still in Web interface? by ripvlan · · Score: 2

    How can 200 million be affected by the web interface? I don't know what WhatsApp is (heard of it - never used it) I assume that "web" means web-server...and I thought that the power of the web was all clients are using the latest and greatest version all of the time.

    To upgrade 200 million users - wouldn't I upgrade the web-server?

    The article didn't get into the product design.

    1. Re:Bug still in Web interface? by MobyDisk · · Score: 2

      The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.

      When this card is opened from within the app...

      There's an app. It's vulnerable.

      Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the application. So it allows local vulnerabilities to become remote vulnerabilities.

    2. Re:Bug still in Web interface? by IamTheRealMike · · Score: 2

      WhatsApp is one of the worlds most popular chat networks. It has nearly a billion users globally and dominates mobile chat/SMS replacement everywhere outside of the USA and China (possibly Japan).

      WhatsApp has a very interesting security design. It uses end to end encryption for messages (at least between some clients). As a result the web (really: desktop) version can't work in the way most normal web apps work. What it actually does is build a connection to your actual phone and remotely controls it. If your phone is off you can't use the web version. The reason is; only the phone has the encryption keys. WhatsApp doesn't provide message backups etc for this sort of reason also.

      I don't know why the web app has a user-triggered update process, but it would not surprise me if it's related to that: for instance, the web app checks digital signatures on the new version before re-caching it locally.

  3. Re:Relevancy? by Anonymous Coward · · Score: 2, Informative

    It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a billion dollars.

    I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.

  4. Re:Who really uses WhatsApp by Gaygirlie · · Score: 2

    There are no good alternatives, though. XMPP, for example, is a huge effing mess and doesn't even properly support modern features. As an example, I have been trying to set up an XMPP-server of my own and for some reason Pidgin-users can transfer files to other Pidgin-users and Conversations (an Android-based XMPP-client) users can send files to other Conversations-users, but Pidgin-to-Conversations or Conversations-to-Pidgin doesn't work. All the things related to file-transfers and such are afterthoughts so it's no wonder, even; it was originally just meant for text-based chatting and that shines through everywhere.

  5. BBM stands alone by Rigel47 · · Score: 2

    As does BB10 OS in not having any of these ridiculous vulnerabilities.

    I guess it's true, people really just don't care about security. Every week is an announcement of some massive hole in Androis, iOS, etc, and yet nobody considers moving to a free, secure, and feature-rich platform like BlackBerry.

  6. Re:Relevancy? by IamTheRealMike · · Score: 2

    It's that thing the entire world outside of the USA and parts of Asia use instead of SMS.