WhatsApp Patches Flaw That Put Hundreds of Millions at Risk
A Check Point security researcher found that the WhatsApp instant messaging tool wasn't properly validating incoming messages.WhatsApp—an increasingly popular cross-platform mobile messaging application, which Facebook now owns—was until Aug. 27 at risk from a flaw that could have exposed a substantial number of its users to risk. The flaw was formally disclosed today by security vendor Check Point, which first reported the vulnerability to the WhatsApp security team on Aug. 21. The vulnerability affects the WhatsApp Web application that approximately 200 million of WhatsApp's 900 million customers use. The WhatsApp Web application provides an interface that runs on user devices by way of a Web browser. The flaw that Check Point discovered is that an attacker could potentially send a WhatsApp Web user a vCard that includes malicious code. A vCard is an industry-standard format for business card information. According to Check Point, the unpatched WhatsApp Web interface enabled the malicious vCard to open on the user's device as an executable, which could have included malware. The root cause of the vCard flaw that Check Point reported to WhatsApp is that the system did not properly filter input from the contact cards. Check Point security researcher Kasif Dekel was able to intercept the Extensible Messaging and Presence Protocol (XMPP) message requests sent to the WhatsApp servers in order to manipulate the vCard files.
"We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file," Oded Vanunu, group manager, security research at Check Point, wrote in a blog post.