Vulnerabilities In WhatsApp Web Affect Millions of Users Globally 67
An anonymous reader writes with an alert for anyone who uses the WhatsApp Web application. Check Point researcher Kasif Dekel, according to NetSecurity.Org, has discovered that "to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code." When this card is opened from within the app, the executable it contains is run, "further compromising computers by distributing malware including ransomware, bots, remote access tools, and other types of malicious code."
Not all users need to panic about this vulnerability, though: the company has rolled out a fix, contained in all versions of WhatsApp Web after v0.1.4481. But with an estimated 200 million users of the web-based version, many users aren't yet using the updated version.
Relevancy? (Score:1, Interesting)
What's "WhatsApp" and why do we care?
Amusingly, my 'captcha' today is the word "stupid".
Re: (Score:2, Informative)
It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a billion dollars.
I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.
Re: (Score:2)
It's a chat app that carefully cultivated the appearance of being "more private" than text messaging and old IM services like AOL or ICQ. Then it got bought by Facebook for a stupid 19 billion dollars.
I suppose the news here is that it's leaking information to people who aren't paying Facebook for it.
Re: (Score:2)
It boggled my mind that the people who run such corporations and are in charge of the initial IPO scam are fucking stupid enough to pay that kind of money for corporations with no assets or revenue.
This is idiotic people running corporations thinking they have unlimited pretend money.
How is it that shareholders and analysts aren't looking at crap like this and asking how this could possibly be valued at these levels?
Oh, that's right, the big institutional investors who help do this shit know they'll just pa
Re: (Score:2)
C-Level requires you to be a C... to get there, maybe? ;-)
Re: (Score:2)
You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.
Re: (Score:2)
You should care because, you know, a proprietary, non-standard way of sending messages to friends was really something we missed.
Where they really succeeded was the UI/UX. It's a chap app with auto-generated accounts and no user-visible authentication (this means you don't need to log on). In general, its UI is exactly the same as SMS, which is very well suited to a phone.
Re: (Score:2)
*chat app
Re: (Score:1)
Several years ago it was a great alternative here in Italy to SMSes, which cost around €0.10 each to send for those of us who had pay as you go phones. Everyone switched to WhatsApp to message instead and it blew up that way. It wasn't just Italy, but all of Europe.
Looking at it from an American perspective, it's hard to understand why it's as big as it is.
Re: (Score:2)
You could have used anything else instead. Why a proprietary, non-standard solution?
Re: (Score:2)
Because alas, people don't care about that. If it's "easy", "free" and "works", they'll go for it. I guess whatsapp was among the first smartphone "apps" that delivered on all three points (in their respective quotation marks), and then it was simply a matter of inertia and network effect.
Yes, it's shit, but no, there's nothing one can do about it.
I arranged myself around it with bitlbee [bitlbee.org] (linked against libpurple (for which a plugin exists that speaks the whapsapp protocol)).
Re: (Score:2)
Whatsapp will die soon one way or another. There isn't any closed, proprietary communication protocol that survived the years (think about phone, email, telegraph, they are all open standards). The sooner the better. The whole point of these protocols is to have total reachability. If there are dozens of competing, closed messaging apps, it will suck as none of them will allow to contact everyone.
Re: (Score:2)
Yeah. No need to explain this to me, I fully agree on the matter. I'm just realistic enough to realize it ain't gonna happen.
Phone, email and telegraph were actual innovations, and people went for them for a lack of alternatives, so that comparison doesn't really hold.
Re: (Score:3)
It's that thing the entire world outside of the USA and parts of Asia use instead of SMS.
Re: (Score:2)
The fact the version number starts with V-ZERO tells me this is a product not even ready for public usage.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Ever thought about sending your file by email? Why would we need a proprietary, non-standard communication protocol?
Re: (Score:2)
Re: (Score:2)
of course XMPP isn't. WhatsApp is.
Re: (Score:2)
Re: (Score:2)
Whatsapp is so bad that it works with phone numbers. Therefore it is so bad that I don't see why anyone would want to use it.
Re: (Score:2)
Re: (Score:2)
XMPP is not a proprietary protocol. Also, attaching images, sound-clips and short video-clips is a pretty common way of adding flavour to a conversation. E-mail is not an on-going live conversation, it's not comparable.
Adding images, sound-clips and short video-clips sounds like a pretty common way to annoy who you are talking to. I hate instant message programs. They are a productivity killer. I see other people dropping what they are doing and instantly switching over to see what the latest "Ding!" was about. You might as well send me an e-mail because I will get to it when I have a moment, not immediately. If you require my 100% focus, arrange a meeting.
Re: (Score:2)
Re: (Score:2)
" As an example, I have been trying to set up an XMPP-server of my own and for some reason Pidgin-users can transfer files to other Pidgin-users and Conversations (an Android-based XMPP-client) users can send files to other Conversations-users, but Pidgin-to-Conversations or Conversations-to-Pidgin doesn't work."
That's because Pidgin is a piece of shit multi-client, even file transfers between Pidgin-Pidgin over Yahoo or AIM networks fail all the time. XMPP works just fine, it's fucking Pidgin.
More shitware ... (Score:2, Insightful)
Not even sure what this is, but this might explain why I've started seeing spam messages telling me What's App sent me a message.
I have no idea what this app is, and I don't care ... I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads. I'm sure it pretends to do something useful to, like they all do. But all these apps and social media crap are really about two things: collecting your data and delivering ads.
And in all likelihood will b
Re: (Score:2)
I think you meant "gold rush", but damned if "golf rush" isn't a more apt description of this rash of venture-capital funded app companies...
Re: (Score:2)
LOL .. that's possibly the best typo I'll make all wookie.
Re: (Score:2)
To me, the app has no purpose. Another communications medium for tracking behavior, taking people's messages, storing them indefinitely, and allowing virtually anyone access as per the TOS? No thanks.
There are so many mail/messaging protocols out there. Enterprise? Skype for Business/Lync. Old school? IRC and USENET. Common chat? SMS, MMS, XMPP. Wanting to blab to the public about how many coils pinched off in the morning? Web page. Then, there is always Facebook.
Using another messenger just make
Re: (Score:2)
"I'm sure it's one of the endless stream of shitware out there whose sole purpose us to collect your data and deliver ads"
One of the notable points about WhatsApp is that there are no ads: the user pays for it.
Just saying... (Score:3)
Re: (Score:2)
Whatsapp is quite popular in Brazil. Just saying...
It costs me 30 cents a minute to call a Brazilian cell phone (my wife's from there and we like talking with her family). WhatsApp is free the first year and about a buck per subsequent year. It is a convenient option for my wife.
Bug still in Web interface? (Score:3)
How can 200 million be affected by the web interface? I don't know what WhatsApp is (heard of it - never used it) I assume that "web" means web-server...and I thought that the power of the web was all clients are using the latest and greatest version all of the time.
To upgrade 200 million users - wouldn't I upgrade the web-server?
The article didn't get into the product design.
Re: (Score:3)
The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.
When this card is opened from within the app...
There's an app. It's vulnerable.
Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the ap
Re: (Score:2)
A too easy way to escape the sandbox of the browser. So this is a browser issue as well, allowing a web app to call external programs and run them with arbitrary data as input outside the sandbox the regular app is (supposed to be) running in.
Re: (Score:2)
What is more surprising:
many users aren't yet using the updated version.
I always thought that one of the interesting bits of a web app is that when the server updates it, all clients are automatically updated as well, latest when the page is reloaded or the browser is restarted. It seems I'm wrong there. There also doesn't seem to be an (easy) way to check the current version of the app - just checked in Chromium.
Re: (Score:3)
WhatsApp is one of the worlds most popular chat networks. It has nearly a billion users globally and dominates mobile chat/SMS replacement everywhere outside of the USA and China (possibly Japan).
WhatsApp has a very interesting security design. It uses end to end encryption for messages (at least between some clients). As a result the web (really: desktop) version can't work in the way most normal web apps work. What it actually does is build a connection to your actual phone and remotely controls it. If yo
Re: (Score:2)
So I still can't use Whatsapp without a smartphone? That's annoying.
Sigh (Score:2)
Re: (Score:2)
More and more I believe in the conclusion that the only real defense is to just not have the feature/app/whatever
No, feel free to use and abuse these apps all you want.
That said, just don't believe a single word advertised about their security, since it will be proven in a matter of weeks or months that it was never a serious consideration.
Web page refresh (Score:1)
Re: (Score:1)
No sources (Score:1)
Re: (Score:2)
BBM stands alone (Score:3)
I guess it's true, people really just don't care about security. Every week is an announcement of some massive hole in Androis, iOS, etc, and yet nobody considers moving to a free, secure, and feature-rich platform like BlackBerry.
Re: (Score:2)
This has nothing to do with Android or iOS. It's the web app, not the mobile phone app. And of course there's no issue for BB. It's just like *BSD. No-one uses it, so no-one targets it. Security by obscurity.
Re: (Score:2)
Obligatory (Score:1)
A shit-written app for social-media numpties has a glaring vulnerability?? Geez, who coulda seen that coming??
Obligatory: I'm shocked, SHOCKED I TELL YOU!!
No confidence. (Score:2)
WhatsApp :: cross-platform mobile messaging app (Score:2)
What platforms can this 'ransomware' run on to further compromise the device?