Facebook-owned WhatsApp has fixed a flaw in the web-based version of the service that had exposed some 200 million users to threats such as ransomware and spam bots.
Security firm Check Point uncovered the flaw that it said allows attackers to trick victims into “executing arbitrary code on their machines” by sending what appear to be harmless downloads such as contact information or emoji packs.
“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code,” Check Point said in a blog post.
“Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, remote access trojans, and other malware.”
Check Point used the example of sharing the supposed contact details of Angelina Jolie as a way in which an attacker could trick someone into accepting a malicious vCard file.
Check Point said that it made WhatsApp aware of the flaw on 21 August and that the company had issued a fix by 27 August.
“WhatsApp verified and acknowledged the security issue and deployed the fix in web clients worldwide. To make sure you are protected, update your WhatsApp Web right now.”
Check Point praised WhatsApp for its speedy response. Security research group manager Oded Vanunu said that it should serve as a lesson to other firms in how to respond to security flaw notifications.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” he said.
“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”
Numerous incidents have seen even major companies like Microsoft fail to deal with security reports before disclosure deadlines, including a high-profile incident with Google at the start of the year that saw the two firms clash.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago