WhatsApp—an increasingly popular cross-platform mobile messaging application, which Facebook now owns—was until Aug. 27 at risk from a flaw that could have exposed a substantial number of its users to risk. The flaw was formally disclosed today by security vendor Check Point, which first reported the vulnerability to the WhatsApp security team on Aug. 21.
The vulnerability affects the WhatsApp Web application that approximately 200 million of WhatsApp’s 900 million customers use. The WhatsApp Web application provides an interface that runs on user devices by way of a Web browser.
The flaw that Check Point discovered is that an attacker could potentially send a WhatsApp Web user a vCard that includes malicious code. A vCard is an industry-standard format for business card information. According to Check Point, the unpatched WhatsApp Web interface enabled the malicious vCard to open on the user’s device as an executable, which could have included malware.
The root cause of the vCard flaw that Check Point reported to WhatsApp is that the system did not properly filter input from the contact cards. Check Point security researcher Kasif Dekel was able to intercept the Extensible Messaging and Presence Protocol (XMPP) message requests sent to the WhatsApp servers in order to manipulate the vCard files.
“We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file,” Oded Vanunu, group manager, security research at Check Point, wrote in a blog post.
While Check Point was able to trigger the flaw in its own research, and while 200 million users could have been at risk, there has been no exploitation, thanks to Check Point’s reporting the flaw and WhatsApp’s fixing it, Vanunu said. “Currently, there is no evidence of this vulnerability being exploited in the wild,” he told eWEEK.
As to how Check Point discovered the flaw in the first place, Vanunu only commented that as part of Check Point’s mission to protect the Internet, his company is constantly conducting security audits on popular services and products.
From a vulnerability identifier perspective, the vCard flaw in WhatsApp Web does not have a Common Vulnerabilities and Exposures, or CVE, number associated with it.
“There is no CVE assigned to this issue; CVE-IDs are usually assigned to vulnerabilities that are deployed by the end user,” Vanunu said.
Vanunu praised WhatsApp for its quick response in fixing the issue with an initial mitigation as well as an updated Web client with version v.01.4481, which was deployed Aug. 27. Had WhatsApp not been fast at updating, Vanunu noted that Check Point’s own customers would still have been protected.
“WhatsApp has already pushed the fix to all users. However, if they had not been responsive, Check Point would have generated IPS [intrusion prevention system] and endpoint protection [technology] to protect customer endpoints,” Vanunu said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.