One of the world’s most popular instant messaging services, WhatsApp has a bug in its security system which could endanger the security of more than 200 million web users, a security firm Check Point has warned. The flaw in WhatsApp web, which is a clone of the service on a desktop browser, allows hackers to distribute malware.
The bug affects only the web based service however, they added to avoid unnecessary panic among users of the messaging app.
WhatsApp which was purchased by Facebook in February 2014 has a 900 million strong user base, of which 200 million use the web version of it too. The web version of the app allows users to get their messages, images, videos and all other content on their PCs instead of their smartphones. The malicious phishing code could imperil the security of all users by tricking them into executing arbitrary code on their computers.
The hackers work by sending a legitimate looking virtual business card to know their target’s mobile number. Once the unsuspecting users click on this card, the code gets distributed. A cybersecurity expert says it is all the more easier for hackers to get the mobile numbers which have been disclosed via other breaches.
“While the hacker would find a way to use the number of someone within the person’s contact list, all that was needed then was to create a scenario where they would send the vCard, and once opened, the virus would enter the system,” Silicon Republic explained.
Chances of anyone clicking open a business card sent his way are quite high, given that it is a cross-platform messaging app.
“Once opened it could attempt to download and infect your system with ransomware,” added Mark James, a specialist at security firm ESET.
This is not the first time the messaging service has jeopardised the security of its users. Earlier in February 2015, the company had sent panic waves among its users with a flaw which allowed anyone to track them regardless of their privacy settings.
When Checkpoint informed WhatsApp about the bug on August 21, the latter took quick action by fixing it up in an update issued on August 27.