WhatsApp security breach lets hackers target web app users

The Telegraph has reported a software vulnerability has been discovered in the web-based version of the popular WhatsApp messaging app for Smartphones, which could allow hackers to trick users into downloading malware on their PCs. This could potentially put 200 million webapp users at risk.

Richard Cassidy, technical director EMEA, Alert Logic comments:

“This type of threat against WhatsApp isn’t new in terms of how we see hackers attempt to exploit popular messaging services. Given the inherently open trust model that WhatsApp is built on, such as finding contacts in address books who may be using WhatsApp and sending invites openly to others, in addition to open sharing of files, images, videos and of course vCards; it’s an app that presents a great deal of opportunity for attackers to trick users (for whom they have details for) into opening a seemingly legitimate or interesting file, that could lead to an exploit of the host device. That said the move to a browser based version of the popular application, means greater security risks are now present that weren’t before on mobile platforms. 

Users of any IM application need to stick to online best practices to reduce the risk of being compromised. Always be vigilant when receiving any type of file from an unknown source and question the sender if you’re unsure. Even if files seem to come from someone you know, put in into context on the basis of your normal communication with that person; would they have had a need to send you a file, were you expecting any files or contacts – if not, never be afraid to delete or question.

How WhatsApp have responded to this vulnerability is a great example of the vendor doing a sterling job in helping to mitigate against a newly discovered vulnerability in as short a time-frame as possible; there is only so much they could have done to prevent this; we very much live in a world of shared security responsibility and users have to remain aware of the potential risks of accepting suspicious communication in any online activity.”

Rob Sobers, director, Varonis notes:

“While the impact of this exploit is quite scary in that an attacker can take full control of a victim’s computer, it does require the target user to be tricked into opening a vCard that they don’t recognise, making it analogous to an email phishing attack. With the user-base of the web app being so large (200M+), we might see users continue to fall victim until WhatsApp forces users to upgrade to a patched version.” 

TK Keanini, CTO, Lancope states:

“The news here is not the vulnerability but the agility and responsiveness of the application vendor to protect their community of users.  This is what responsible disclosure looks like and an example of a software vendor that users can trust to do the right thing (quickly). It is the users’ responsibility is to keep things up to date. If you don’t know if you are up to date, chances are that you are not.”