Facebook-owned WhatsApp has fixed a flaw in the web-based version of the service that had exposed some 200 million users to threats such as ransomware and spam bots.
Security firm Check Point uncovered the flaw that it said allows attackers to trick victims into “executing arbitrary code on their machines” by sending what appear to be harmless downloads such as contact information or emoji packs.
“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code,” Check Point said in a blog post.
“Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, remote access trojans, and other malware.”
Check Point used the example of sharing the supposed contact details of Angelina Jolie as a way in which an attacker could trick someone into accepting a malicious vCard file.
Check Point said that it made WhatsApp aware of the flaw on 21 August and that the company had issued a fix by 27 August.
“WhatsApp verified and acknowledged the security issue and deployed the fix in web clients worldwide. To make sure you are protected, update your WhatsApp Web right now.”
Check Point praised WhatsApp for its speedy response. Security research group manager Oded Vanunu said that it should serve as a lesson to other firms in how to respond to security flaw notifications.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” he said.
“We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.”
Numerous incidents have seen even major companies like Microsoft fail to deal with security reports before disclosure deadlines, including a high-profile incident with Google at the start of the year that saw the two firms clash.
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams