Skip to main content

WhatsApp fixes a dangerous security flaw for its web client

WhatsApp issued a fix for a vulnerability which allowed hackers to install malicious software to a victim's computer through the app's web-based interface.

According to a report from security firm CheckPoint, WhatsApp's web interface could be exploited by sending an infected vCard contact. The contact would contain malicious code, forcing the computer to install various ransomware, malware and bots.

Dubbed ‘MaliciousCard’, the vulnerability was basically impossible for a Windows computer to spot. It is not known whether Mac users are affected by the vulnerability.

“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares,” the company says in a blog post.

The security firm noted that it informed WhatsApp about the vulnerability, and the messaging service issued an update on August 21 that fixes the bug. WhatsApp Web v0.1.4481 or later are not affected with the vulnerability.

“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices”, said Oded Vanunu, Security Research Group Manager at Check Point.

WhatsApp, which is available across multiple platforms, recently announced that it reached 900 million monthly active users. WhatsApp Web, which offers several of the mobile app's functionalities including the ability to send and receive text and audio notes, is used by more than 200 million users.