A bug discovered in the WhatsApp web extension could allow hackers to take remote control of users’ computers with just their phone number, a security firm has warned
A software vulnerability has been discovered in the web-based version of the popular WhatsApp messaging app for smartphones, which could allow hackers to trick users into downloading malware on their PCs.
Last month, WhatsApp made its web client, known as WhatsApp Web, available to iPhone users for the first time, after rolling out the service for Android, BlackBerry and Windows Phone earlier in the year.
The service effectively replicates the experience of using the mobile app in a web browser, allowing users to view all of the messages they have sent and received – including images, videos, audio files, locations and contact cards – on their PC.
However, security firm Check Point claims to have discovered a vulnerability that could compromise computers, by allowing hackers to distribute malware including ransomware, bots, remote access tools (RATs) and other types of malicious code.
Ransomwear forces victims to pay a ransom to regain access to their systems and data, bots cause the system to slow down to a crawl, and RATs give hackers remote access to the victim’s PC.
WhatsApp recently announced that it had reached 900m active users a month, and at least 200m are estimated to use the WhatsApp Web interface.
To target an individual, all an attacker needs is the phone number associated with their account. By sending a seemingly innocent ‘vCard’ contact card containing malicious code, and persuading the victim to open it, they can launch an executable file and begin downloading malware onto their PC.
WhatsApp has verified and acknowledged the security issue and has developed a fix for web clients worldwide, which started rolling out on August 27. All versions of WhatsApp Web after v0.1.4481 contain the fix for the vulnerability.
Check Point said that users should update their WhatsApp web software immediately and clear their browser cache to ensure that the patch is applied. The update will appear in the notification bar.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” said Oded Vanunu, security research group manager at Check Point.
“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”
WhatsApp had not replied to a request for comment at the time of writing.