WhatsApp Web, the browser version of the popular instant messaging app, have just lived very critical hours due to a flaw in its security system. The bug has put at risk the data of WhatsApp Web 200 million users, but luckily the problem has already been solved. Unfortunately, it is possible that in the meantime some of the users of the app have been affected by a cyberattack.
Now we really have to thank Kasif Dekel, researcher at Check Point laboratories, who, after some test, discovered the dangerous bug. But which was the trick? Dekel found out that it was simple but equally treacherous . All you needed to hack a device which was using WhatsApp Web was a vCard . The procedure was this. After founding out the telephone number of a potential victim, the hacker sent him a vCard, which the victim opened without thinking too much.
Opening the vCard a malicious code was initiated. The code contained very dangerous tools like RATs (remote access tools, which enable hackers to remotely access a device), bots and ransomware (which makes users pay money to have access again to their own data). But how could this happen? WhatsApp did not control the size of a vCard file, so the application did not notice that inside it there was an executable code and downloaded it.
The discovery was publicly announced on the 8th of September, but WhatsApp was already working to fix the bug since August. In fact, fortunately, Check Point reported immediately to WhatsApp Security Team this flaw on the 21th of August (WhatsApp Web was available from the 19th of August), and by the 27th of August it was fixed.
Oded Vanonu, Security Research Group Manager at Check Point, posted this message: “Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client“.