Check Point security recently discovered a vulnerability in the WhatsApp Web application that allows hackers to take control of a users computer by sending them a file that looks like a vCard.
Check Point security researchers have recently discovered various vulnerabilities in the WhatsApp Web application. Hackers would exploit a user’s computer by sending them a vCard, but the vCard is actually an executable file and opens up a PC to malware and phishing attacks.
WhatsApp Web – a web-based extension of the WhatsApp application on a phone mirrors all messages sent and received, and fully synchronizes your phone and your desktop computer so that users can see all messages on both devices.
WhatsApp Web is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones. In September 2015, WhatsApp announced they had reached 900 million active users a month. At least 200M are estimated to use the WhatsApp Web interface, considering publicly available web traffic statistics.
Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.
To target an individual, all an attacker needs is the phone number associated with the account.
WhatsApp verified and acknowledged the security issue and have deployed the fix in web clients world-wide. To make sure you are protected, update your WhatsApp Web right now.
Check Point shared its discovery to WhatsApp on August 21, 2015. On August 27, WhatsApp rolled out the initial fix (in all versions greater than 0.1.4481) and blocked that particular feature.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
The vulnerability lies in improper filtering of contact cards, sent utilising the popular ‘vCard’ format.
This is a screenshot for a possible contact vCard sent by a malicious user:
As you can see, this message (contact card) appears legitimate, like any other contact card; most users would click it immediately without giving it a second thought.
The implication of this innocent action is downloading a file which can run arbitrary code on the victim’s machine:
An Initial Hole
During Kasif’s research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file.
He first changed the file extension to .BAT, which indicates a Windows batch (executable script) file:
This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
Let’s see what’s inside the downloaded file (i.e. the batch file):
This is a standard vCard format. To run malicious code, Kasif found out an attacker could simply inject a command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, Windows will attempt to run all lines in the files, including our controlled injection line.
Further research showed that no XMPP interception of crafting is needed for this attack, since any user can create such a contact with an injected payload on their phones, no hacking tools necessary:
Once such a contact is created, all an attacker has to do is share it via the normal WhatsApp client.
But can we take it to the next level? Could we possibly discover a way to share malicious PE (.exe) files through WhatsApp’s default sharing features (no external links)?
To answer that, we have to examine WhatsApp’s communication protocols; WhatsApp uses a customised version of the open standard Extensible Messaging and Presence Protocol (XMPP).
This is how vCard messages appear over-the-wire (with some reconstruction) when sent using WhatsApp’s protocol:
NUMBER/GROUPID: the victim’s number or group ID
· ID: the message ID
· TIMESTAMP: the timestamp of the sender device
· FILENAME: the VCARD file name, <something>.exe
· FILEDATA: the raw data of the file
We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file, and indeed when we crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory:
But wait, there’s more! Clever attackers can exploit this in more devious scenarios, using the displayed icon to enrich the scam:
This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy “WhatsApp Phishing”. Massive exploitation of this vulnerability could have affected millions of users, failing to realise the malicious nature of the attachment.
· August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
· August 23, 2015 – First response received.
· August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
· September 8, 2015 – Public disclosure
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client” said Oded Vanunu, Security Research Group Manager at Check Point. We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.
Check Point continues to be on the lookout for vulnerabilities in common software and Internet platforms, disclosing issues as they are discovered, protecting consumers and customers against tomorrow’s threats.”
Huawei goes ultra-premium
Porsche Design and Huawei have launched the Porsche Design Huawei Mate RS in South Africa exclusive to MTN and retailing for R 26 459.
The Porsche Design Huawei Mate RS boasts features like the world’s first dual fingerprint design, including an in-screen fingerprint sensor, the world’s first Artificial Intelligence (AI) processor and Leica triple camera with 40MP image capture.
“After the overwhelming success of the Porsche Design Huawei Mate 10 Pro in South Africa, we now bring you our latest offering, a perfect blend of innovation in a smartphone and luxury design,” said Likun Zhao, Vice President of Huawei Consumer Business Group Southern Africa. “From three-point security feature including facial recognition, rear fingerprint scanner and the new innovative in-screen fingerprint to the Leica triple camera system. it culminates in an unprecedented experience for our customers.”
The device incorporates Porsche Design’s signature design language and Huawei’s breakthrough technology. The phone has a 6” 2K curved OLED screen and symmetrical look, minimalist feel and 8-edged 3D curved glass body.
High performance is symbolised by the naming of the smartphone: the term “RS” in the world of Porsche motorsport stands for outstanding racing performance.
Huawei provided the following information on The Porsche Design Huawei Mate RS benefits and features :
· The world’s first dual fingerprint scanner for enhanced convenience, allowing users to wake and unlock the device simply, thanks to an in-screen fingerprint sensor. Hover to wake the device, touch to unlock it
· The winning combination of Leica triple camera with 40MP RGB sensor technology and exceptional photography powered by Master AI. This combination puts effortless, eye-catching photography at the fingertips of those looking to immortalise their favourite moments. Combined with 5 x hybrid zoom, and the world’s first AI image stabilisation on a smartphone camera ensures photography lovers can capture the best shots with exceptional clarity in almost any situation
· The Porsche Design Huawei Mate RS is the first Huawei handset to allow quick wireless charging, making it even easier to keep the phone topped up and ready to go and, thanks to its long lasting battery, users will easily be powered through the busiest of days
· An ‘intelligent’ smartphone, the powerful AI processor automatically tailors the performance of the phone according to how it is used – constantly learning, understanding and anticipating needs, it is the perfect personal assistant for the pocket
· 256GB of internal storage means those constantly on the go and constantly on their phone can be worry free
· Dual SLS (super linear system) speakers with DOLBY ATMOS enable users to have a superior experience, with the best immersive surround sound and entertainment on the go
· Splash, water and dust resistant, which means there is no need to worry about damaging the device in the rain or accidentally dropping it in water
Jan Becker, CEO Porsche Design Group, said: “Both Porsche Design and Huawei seek to imagine and develop products that stand for precision and perfection, intelligent functionality and highly sophisticated design. Our aim was to create an outstanding device that goes one step further. We believe we have reached this goal by taking our partnership to the next level.”
Porsche Design and Huawei have worked in tandem to develop a smartphone that fuses together the two brands’ DNA, wealth of experience in design and technology, industry-leading expertise and exceptional performance. Through the use of colour in the device’s body, software themes and accessories, the new handset is accentuated with Porsche Design’s distinguished aesthetic and purist, minimalist feel.
The Porsche Design Huawei Mate RS will be available to purchase exclusively from MTN at R 26 459.
Cross-channel chat launched
Clickatell has launched a cross-channel live chat service, Touch Go, that transforms omni-channel customer care.
It enables live chat across a company’s website as well as social platforms (Twitter and Facebook) and mobile apps, bringing customer care and engagement into a single business platform.
“Today’s consumers expect to engage with your brand on the digital channel of their choosing,” says Deon van Heerden, Clickatell Engage CEO and Group CFO. “They want to message your business and instantly have queries resolved, find the information and services they are looking for, without the need for a voice call. Clickatell’s Touch Go makes that happen with the right level of capabilities for businesses of all sizes.”
Businesses can start using Touch Go immediately, with a free Starter option. Touch Go requires no credit card for sign-up and is fully featured with a simple setup process. It offers customisable branding, a unified chat desk business application as well as reports and analytics.
As the business scales up its digital customer care, it can opt-in for the Touch Enterprise offering. Touch Enterprise is designed for scaling up customer care efforts through advanced capabilities including AI driven virtual agents, sentiment analysis, automated workflows, enterprise integrations and in-channel mini-applications.
“Customer care has become a defining factor for sustained business success ” says Nirmal Nair, Clickatell Engage EVP Product & Marketing. “In an ever-increasing mobile native world, customers often choose to interact digitally, but they also expect to be able to reach a human immediately, should they need. Monitoring multiple channels and providing immediate action becomes challenging with siloed deployments. Touch’s unified solution allows businesses of all sizes to provide the customer delight in a simple modular approach.”