Oh snap! Yap app WhatsApp chaps zap .BAT trap in hack flap
Thinking cap on after security gap tapped
The web version of phone chat app WhatsApp – yes, there's a web version – allowed internet lowlifes to fire off malware at potentially millions of PCs, apparently.
WhatsApp Web runs in your browser, and allows you to message friends and follow conversations just as you would on your mobe. We're told Check Point security researcher Kasif Dekel found a way to sling malicious executables at netizens via WhatsApp Web. Check Point also reckons some 200 million people use the web service.
"To target an individual, all an attacker needs is the phone number associated with the account," noted Check Point's Oded Vanunu in a blog post on Tuesday.
WhatsApp lets you swap contact details between friends using vCards: if you need to get hold of a person, you can ask a chum to fire over a vCard with their phone number inside.
Clicking on the card should start a conversation with this new contact. According to Check Point, it was trivial to send over a .BAT file, all dressed up as a legit vCard, that triggered a malicious executable when clicked on by the victim. To the poor sod being targeted, the booby-trapped message looks like any other message from a pal.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
The vulnerability lies in improper filtering of contact cards, sent utilizing the popular ‘vCard’ format.
During Kasif’s research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. He first changed the file extension to .BAT, which indicates a Windows batch (executable script) file.
This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
WhatsApp fixed the problem on August 27, six days after it was reported by Check Point, which went public with the details this week. ®