According to the Venture Capital Post, Facebook messaging tool WhatsApp now boasts over 900 million users and projects to hit 1 billion in the near future. While it’s not a huge money-maker for Facebook just yet — it’s charging just $1 per year in North America and Europe, and the app is available for free in developing countries — the service is nonetheless a popular target for cybercriminals.
As noted by SC Magazine, the newest attack vector leverages virtual business cards, or vCards. When opened on the Web version of the app, users could be exposed to a host of malware risks.
Kasif Dekel, a researcher for Check Point Security, which first found the new vulnerability, said all it takes for an attacker to compromise a victim’s computer is the right mobile phone number and a single vCard. Once opened in the WhatsApp Web service, hidden executable files in the vCard are activated, allowing attackers to install anything from ransomware to remote access tools (RATs), bots or Trojans.
Compounding the problem is the prevalence of vCards and the fact that many seem above board on the surface. What’s more, obtaining a user’s phone number often takes little more than a quick Internet search — and once a new vCard arrives, most users are willing to take a look since they often believe their number isn’t available for public viewing.
The app itself doesn’t help matters because it automatically syncs users’ mobile devices and desktop computers to provide a unified experience — meaning that even if users typically avoid their desktop, they’ll get a vCard notification and may be tempted to log on and check out the message, in turn exposing their system to malware. And with approximately 200 million WhatsApp users leveraging the Web portal on a regular basis, this malware threat comes with a significant attack surface.
The Issue With Doing Everything
Facebook’s purchase of WhatsApp certainly seems to be paying off. Users love the service, and the company has a built-in revenue model if and when they choose to use it. But the service suffers from the same problem as many others of similar nature: trying to do everything, all at once, for interested users.
While synchronization across devices and the ability to view images, videos, audio files, locations and contact cards is attractive for users, this kind of smorgasbord represents massive opportunity for cybercriminals. If users can be convinced to download one malicious file or open one seemingly legitimate business card, it’s possible to infect entire systems without victims even knowing they’ve been compromised.
Fortunately, WhatsApp has been quick to respond. While all versions before 0.1.4481 are still vulnerable, the company issued a temporary mitigation against this vCard vulnerability for Web clients and already has a more permanent fix in the works. Of course, the onus for updating remains with the user — the sooner the better to ensure protection against this kind of exploit.
Messaging apps are prime targets for attackers since they offer big user basis and a low bar to entry. Stopping cybercriminal trash talk demands a combination of app developer speed and user commitment to securing their own devices.