Are you a fan of WhatsApp?
The hugely popular messaging app has just been alerted to a flaw that would allow hackers to trick users into downloading malicious apps on the web-based client of the app.
‘What’s WhatsApp?”, You say?
For the uninitiated, WhatsApp is currently the most popular messaging app with over 900 million users as of September 2015 and its popularity just keeps growing.
Created in 2009 by two ex-employees from Yahoo!, Brian Acton and Ian Koum, WhatsApp got off to a rocky start. Koum and Acton thought about throwing in the towel more than once as they encountered numerous technical glitches that made the program difficult or impossible to use. But they stuck it out and later that year came up with a workable model. After months of having no more than a handful of users, WhatsApp hit the App Store for Iphone users exclusively, and suddenly, user growth skyrocketed.
In 2014 the app was sold to Facebook for the unprecedented amount of $19 billion and in January 2015 they released the web-based version of the app which allows users to send messages to other users, regardless of the browser they are in. The web-based client has grown to over 200 million users in the nine months since its inception.
WhatsApp and Security
Right from the beginning WhatsApp has experienced security issues.
Among many other security issues, in 2011 vulnerabilities were discovered that left the app open to session hijacking. And in 2014 two teenagers discovered the Message Handler Vulnerability, which allows anyone to remotely crash the app under certain circumstances. In June 2015 the app received a grade of 2 out of 7 points on the EFF (Electronic Frontier Foundation, a digital rights advocacy group) Scorecard rating system as they found it to be less than secure when it comes to encrypting messages and verifying contacts.
This latest vulnerability which is specific to the web-based version, discovered by Check Point Security, goes something like this – A contact card laced with malware is sent to a user who opens it, thinking it’s from a friend. All the attacker needs is the victim’s phone number and for the victim to accept the card. As soon as it’s opened the malicious code begins to run on the victim’s computer. It can then be used to install any kind of malicious programs like trojans, spyware and browser hijackers.
The firm alerted WhatsApp of the flaw and within a week they issued a patch.
This flaw has not been used as of yet in the wild and it’s a good thing too – The flaw could leave every one of 200 million web-based users open to exploit.
To steer clear of any danger, now that the vulnerability has been disclosed, make sure you update your WhatsApp software immediately and clear your caches to be certain that the patch is up and running.