Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Communications Social Networks

Vulnerabilities In WhatsApp Web Affect Millions of Users Globally 67

An anonymous reader writes with an alert for anyone who uses the WhatsApp Web application. Check Point researcher Kasif Dekel, according to NetSecurity.Org, has discovered that "to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code." When this card is opened from within the app, the executable it contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code." Not all users need to panic about this vulnerability, though: the company has rolled out a fix, contained in all versions of WhatsApp Web after v0.1.4481. But with an estimated 200 million users of the web-based version, many users aren't yet using the updated version.
This discussion has been archived. No new comments can be posted.

Vulnerabilities In WhatsApp Web Affect Millions of Users Globally

Comments Filter:
  • Relevancy? (Score:1, Interesting)

    by Anonymous Coward

    What's "WhatsApp" and why do we care?

    Amusingly, my 'captcha' today is the word "stupid".

    • Re: (Score:2, Informative)

      by Anonymous Coward

      It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a billion dollars.

      I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.

      • It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a stupid 19 billion dollars.

        I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.

        • It boggled my mind that the people who run such corporations and are in charge of the initial IPO scam are fucking stupid enough to pay that kind of money for corporations with no assets or revenue.

          This is idiotic people running corporations thinking they have unlimited pretend money.

          How is it that shareholders and analysts aren't looking at crap like this and asking how this could possibly be valued at these levels?

          Oh, that's right, the big institutional investors who help do this shit know they'll just pa

    • You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.

      • by piojo ( 995934 )

        You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.

        Where they really succeeded was the UI/UX. It's a chap app with auto-generated accounts and no user-visible authentication (this means you don't need to log on). In general, its UI is exactly the same as SMS, which is very well suited to a phone.

    • by Anonymous Coward

      Several years ago it was a great alternative here in Italy to SMSes, which cost around €0.10 each to send for those of us who had pay as you go phones. Everyone switched to WhatsApp to message instead and it blew up that way. It wasn't just Italy, but all of Europe.

      Looking at it from an American perspective, it's hard to understand why it's as big as it is.

      • You could have used anything else instead. Why a proprietary, non-standard solution?

        • by fisted ( 2295862 )

          Because alas, people don't care about that. If it's "easy", "free" and "works", they'll go for it. I guess whatsapp was among the first smartphone "apps" that delivered on all three points (in their respective quotation marks), and then it was simply a matter of inertia and network effect.

          Yes, it's shit, but no, there's nothing one can do about it.

          I arranged myself around it with bitlbee [bitlbee.org] (linked against libpurple (for which a plugin exists that speaks the whapsapp protocol)).

          • Whatsapp will die soon one way or another. There isn't any closed, proprietary communication protocol that survived the years (think about phone, email, telegraph, they are all open standards). The sooner the better. The whole point of these protocols is to have total reachability. If there are dozens of competing, closed messaging apps, it will suck as none of them will allow to contact everyone.

            • by fisted ( 2295862 )

              Yeah. No need to explain this to me, I fully agree on the matter. I'm just realistic enough to realize it ain't gonna happen.

              Phone, email and telegraph were actual innovations, and people went for them for a lack of alternatives, so that comparison doesn't really hold.

    • It's that thing the entire world outside of the USA and parts of Asia use instead of SMS.

  • More shitware ... (Score:2, Insightful)

    by gstoddart ( 321705 )

    Not even sure what this is, but this might explain why I've started seeing spam messages telling me What's App sent me a message.

    I have no idea what this app is, and I don't care ... I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads. I'm sure it pretends to do something useful to, like they all do. But all these apps and social media crap are really about two things: collecting your data and delivering ads.

    And in all likelihood will b

    • by c ( 8461 )

      Yawn, wake me up with the golf rush of this shit has ended.

      I think you meant "gold rush", but damned if "golf rush" isn't a more apt description of this rash of venture-capital funded app companies...

    • by mlts ( 1038732 )

      To me, the app has no purpose. Another communications medium for tracking behavior, taking people's messages, storing them indefinitely, and allowing virtually anyone access as per the TOS? No thanks.

      There are so many mail/messaging protocols out there. Enterprise? Skype for Business/Lync. Old school? IRC and USENET. Common chat? SMS, MMS, XMPP. Wanting to blab to the public about how many coils pinched off in the morning? Web page. Then, there is always Facebook.

      Using another messenger just make

    • "I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads"

      One of the notable points about WhatsApp is that there are no ads: the user pays for it.

  • by Flavianoep ( 1404029 ) on Tuesday September 08, 2015 @08:15AM (#50477773)
    Whatsapp is quite popular in Brazil. Just saying...
    • Whatsapp is quite popular in Brazil. Just saying...

      It costs me 30 cents a minute to call a Brazilian cell phone (my wife's from there and we like talking with her family). WhatsApp is free the first year and about a buck per subsequent year. It is a convenient option for my wife.

  • by ripvlan ( 2609033 ) on Tuesday September 08, 2015 @08:29AM (#50477855)

    How can 200 million be affected by the web interface? I don't know what WhatsApp is (heard of it - never used it) I assume that "web" means web-server...and I thought that the power of the web was all clients are using the latest and greatest version all of the time.

    To upgrade 200 million users - wouldn't I upgrade the web-server?

    The article didn't get into the product design.

    • by MobyDisk ( 75490 )

      The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.

      When this card is opened from within the app...

      There's an app. It's vulnerable.

      Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the ap

      • A too easy way to escape the sandbox of the browser. So this is a browser issue as well, allowing a web app to call external programs and run them with arbitrary data as input outside the sandbox the regular app is (supposed to be) running in.

    • What is more surprising:

      many users aren't yet using the updated version.

      I always thought that one of the interesting bits of a web app is that when the server updates it, all clients are automatically updated as well, latest when the page is reloaded or the browser is restarted. It seems I'm wrong there. There also doesn't seem to be an (easy) way to check the current version of the app - just checked in Chromium.

    • WhatsApp is one of the worlds most popular chat networks. It has nearly a billion users globally and dominates mobile chat/SMS replacement everywhere outside of the USA and China (possibly Japan).

      WhatsApp has a very interesting security design. It uses end to end encryption for messages (at least between some clients). As a result the web (really: desktop) version can't work in the way most normal web apps work. What it actually does is build a connection to your actual phone and remotely controls it. If yo

  • More and more I believe in the conclusion that the only real defense is to just not have the feature/app/whatever
    • More and more I believe in the conclusion that the only real defense is to just not have the feature/app/whatever

      No, feel free to use and abuse these apps all you want.

      That said, just don't believe a single word advertised about their security, since it will be proven in a matter of weeks or months that it was never a serious consideration.

  • How can a web version not be rolled out to most people? If you refresh your web page it is updated - done. As the patch was released more than 10 days ago, surely most people had to refresh somewhere. Feels like just another sensational article to me...
  • The article referenced has a hear-say status. The Check Point blog has no entry on this vulnerability. Doesn't that sound curious at all? A InfoSec company not promoting the s%^& out of itself?
    • by jrumney ( 197329 )
      Here is the Checkpoint blog entry [checkpoint.com] on the vulnerability. The vulnerability is real, I got an unsolicited message last week with a "vcard" attached, but since it was unsolicited and not from someone I know, I deleted the conversation and blocked the user without looking at it. Now I'm wishing that I'd at least kept a record of who it was from so I can figure out who was doing the spearphishing.
  • by Rigel47 ( 2991727 ) on Tuesday September 08, 2015 @08:59AM (#50478103)
    As does BB10 OS in not having any of these ridiculous vulnerabilities.

    I guess it's true, people really just don't care about security. Every week is an announcement of some massive hole in Androis, iOS, etc, and yet nobody considers moving to a free, secure, and feature-rich platform like BlackBerry.
    • This has nothing to do with Android or iOS. It's the web app, not the mobile phone app. And of course there's no issue for BB. It's just like *BSD. No-one uses it, so no-one targets it. Security by obscurity.

      • Right.. which is why pretty much every head of state uses a BlackBerry.. because nobody will bother trying to hack that platform.
  • A shit-written app for social-media numpties has a glaring vulnerability?? Geez, who coulda seen that coming??

    Obligatory: I'm shocked, SHOCKED I TELL YOU!!

  • I got the window open and I'm about to chuck my computer out of it.
  • "When this card is opened from within the app, the executable is contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code."'

    What platforms can this 'ransomware' run on to further compromise the device?

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...