Check Point security recently discovered a vulnerability in the WhatsApp Web application that allows hackers to take control of a users computer by sending them a file that looks like a vCard.
Check Point security researchers have recently discovered various vulnerabilities in the WhatsApp Web application. Hackers would exploit a user’s computer by sending them a vCard, but the vCard is actually an executable file and opens up a PC to malware and phishing attacks.
WhatsApp Web – a web-based extension of the WhatsApp application on a phone mirrors all messages sent and received, and fully synchronizes your phone and your desktop computer so that users can see all messages on both devices.
WhatsApp Web is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones. In September 2015, WhatsApp announced they had reached 900 million active users a month. At least 200M are estimated to use the WhatsApp Web interface, considering publicly available web traffic statistics.
Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.
To target an individual, all an attacker needs is the phone number associated with the account.
WhatsApp verified and acknowledged the security issue and have deployed the fix in web clients world-wide. To make sure you are protected, update your WhatsApp Web right now.
Check Point shared its discovery to WhatsApp on August 21, 2015. On August 27, WhatsApp rolled out the initial fix (in all versions greater than 0.1.4481) and blocked that particular feature.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
The vulnerability lies in improper filtering of contact cards, sent utilising the popular ‘vCard’ format.
This is a screenshot for a possible contact vCard sent by a malicious user:
As you can see, this message (contact card) appears legitimate, like any other contact card; most users would click it immediately without giving it a second thought.
The implication of this innocent action is downloading a file which can run arbitrary code on the victim’s machine:
An Initial Hole
During Kasif’s research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file.
He first changed the file extension to .BAT, which indicates a Windows batch (executable script) file:
This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
Let’s see what’s inside the downloaded file (i.e. the batch file):
This is a standard vCard format. To run malicious code, Kasif found out an attacker could simply inject a command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, Windows will attempt to run all lines in the files, including our controlled injection line.
Further research showed that no XMPP interception of crafting is needed for this attack, since any user can create such a contact with an injected payload on their phones, no hacking tools necessary:
Once such a contact is created, all an attacker has to do is share it via the normal WhatsApp client.
But can we take it to the next level? Could we possibly discover a way to share malicious PE (.exe) files through WhatsApp’s default sharing features (no external links)?
To answer that, we have to examine WhatsApp’s communication protocols; WhatsApp uses a customised version of the open standard Extensible Messaging and Presence Protocol (XMPP).
This is how vCard messages appear over-the-wire (with some reconstruction) when sent using WhatsApp’s protocol:
NUMBER/GROUPID: the victim’s number or group ID
· ID: the message ID
· TIMESTAMP: the timestamp of the sender device
· FILENAME: the VCARD file name, <something>.exe
· FILEDATA: the raw data of the file
We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file, and indeed when we crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory:
But wait, there’s more! Clever attackers can exploit this in more devious scenarios, using the displayed icon to enrich the scam:
This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy “WhatsApp Phishing”. Massive exploitation of this vulnerability could have affected millions of users, failing to realise the malicious nature of the attachment.
· August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
· August 23, 2015 – First response received.
· August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
· September 8, 2015 – Public disclosure
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client” said Oded Vanunu, Security Research Group Manager at Check Point. We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.
Check Point continues to be on the lookout for vulnerabilities in common software and Internet platforms, disclosing issues as they are discovered, protecting consumers and customers against tomorrow’s threats.”
UN calls for electronics overhaul to beat e-waste
Seven UN entities have come together at the World Economic Forum to tackle the escalating scourge of electronic waste.
Seven UN entities have come together, supported by the World Economic Forum, and the World Business Council for Sustainable Development (WBCSD) to call for an overhaul of the current electronics system, with the aim of supporting international efforts to address e-waste challenges.
The report calls for a systematic collaboration with major brands, small and medium-sized enterprises (SMEs), academia, trade unions, civil society and associations in a deliberative process to reorient the system and reduce the waste of resources each year with a value greater than the GDP of most countries.
Each year, approximately 50 million tonnes of electronic and electrical waste (e-waste)
Less than 20% of this is recycled formally. Informally, millions of people worldwide (over 600,000 in China alone) work to dispose of e-waste, much of it done in working conditions harmful to both health and the environment.
The report, “A New Circular Vision for Electronics – Time for a Global Reboot,” launched in Davos 24 January, says technologies such as cloud computing and the Internet of Things (IoT), support gradual “dematerialization” of the electronics industry.
Meanwhile, to capture the global value of materials in the e-waste and create global circular value chains, the report also points to the use of new technology to create service business models, better product tracking and manufacturer or retailer take-back programs.
The report notes that material efficiency, recycling infrastructure and scaling up the volume and quality of recycled materials to meet the needs of electronics supply chains will all be essential for future production.
And if the electronics sector is supported
The joint report calls for collaboration with multinationals, SMEs, entrepreneurs, academia, trade unions, civil society and associations to create a circular economy for electronics where waste is designed out, the environmental impact is reduced and decent work is created for millions.
The new report supports the work of the E-waste Coalition, which includes:
- International Labour Organization (ILO);
- International Telecommunication Union (ITU);
- United Nations Environment Programme (UN Environment);
- United Nations Industrial Development Organization (UNIDO);
- United Nations Institute for Training and Research (UNITAR);
- United Nations University (UNU), and
- Secretariats of the Basel and Stockholm Conventions (BRS).
The Coalition is supported by the World Business Council for Sustainable Development (WBCSD) and the World Economic Forum and coordinated by the Secretariat of the Environment Management Group (EMG).
Considerable work is being done on the ground. For example, in order to grasp the opportunity of the circular economy, today the Nigerian Government, the Global Environment Facility (GEF) and UN Environment announce a 2 million dollar investment to kick off the formal e-waste recycling industry in Nigeria. The new investment will leverage over 13 million dollars in additional financing from the private sector.
According to the International Labour Organization, in Nigeria up 100,000 people work in the informal e-waste sector. This investment will help to create a system which formalizes these workers, giving them safe and decent employment while capturing the latent value in Nigeria’s 500,000 tonnes of e-waste.
UNIDO collaborates with a large number of organizations on e-waste projects, including UNU, ILO, ITU, and WHO, as well as various other partners, such as Dell and the International Solid Waste Association (ISWA). In the Latin American and Caribbean region, a UNIDO e-waste project, co-funded by GEF, seeks to support sustainable economic and social growth in 13 countries. From upgrading e-waste recycling
Another Platform for Accelerating the Circular Economy (PACE) report launched today by the World Economic Forum, with support from Accenture Strategy, outlines a future in which Fourth Industrial Revolution technologies provide a tool to achieve a circular economy efficiently and effectively, and where all physical materials are accompanied by a digital dataset (like a passport or fingerprint for materials), creating an ‘internet of materials.’ PACE is a collaboration mechanism and project accelerator hosted by the World Economic Forum which brings together 50 leaders from business, government and international organizations to collaborate in moving towards the circular economy.
Matrics must prepare for AI
By Vian Chinner, CEO and founder of Xineoh.
Many in the matric class of 2018 are currently weighing up their options for the future. With the country’s high unemployment rate casting a shadow on their opportunities, these future jobseekers have been encouraged to look into which skills are required by the market, tailoring their occupational training to align with demand and thereby improving their chances of finding a job, writes Vian Chinner – a South African innovator, data scientist and CEO of the machine learning company specialising in consumer behaviour prediction, Xineoh.
With rapid innovation and development in the field of artificial intelligence (AI), all careers – including high-demand professions like engineers, teachers and electricians – will look significantly different in the years to come.
Notably, the third wave of internet connectivity, whereby our physical world begins to merge with that of the internet, is upon us. This is evident in how widespread AI is being implemented across industries as well as in our homes with the use of automation solutions and bots like Siri, Google Assistant, Alexa and Microsoft’s Cortana. So much data is collected from the physical world every day and AI makes sense of it all.
Not only do new industries related to technology like AI open new career paths, such as those specialising in data science, but it will also modify those which already exist.
So, what should matriculants be considering when deciding what route to take?
For highly academic individuals, who are exceptionally strong in mathematics, data science is definitely the way to go. There is, and will continue to be, massive demand internationally as well as locally, with Element-AI noting that there are only between 0 and 100 data scientists in South Africa, with the true number being closer to 0.
In terms of getting a foot in the door to become a successful data scientist, practical experience, working with an AI-focused business, is essential. Students should consider getting an internship while they are studying or going straight into an internship, learning on the job and taking specialist online courses from institutions like Stanford University and MIT as they go.
This career path is, however, limited to the highly academic and mathematically gifted, but the technology is inevitably going to overlap with all other professions and so, those who are looking to begin their careers should take note of which skills will be in demand in future, versus which will be made redundant by AI.
In the next few years, technicians who are able to install and maintain new technology will be highly sought after. On the other hand, many entry level jobs will likely be taken care of by AI – from the slicing and dicing currently done by assistant chefs, to the laying of bricks by labourers in the building sector.
As a rule, students should be looking at the skills required for the job one step up from an entry level position and working towards developing these. Those training to be journalists, for instance, should work towards the skill level of an editor and a bookkeeping trainee, the role of financial consultant.
This also means that new workforce entrants should be prepared to walk into a more demanding role, with more responsibility, than perhaps previously anticipated and that the country’s education and training system should adapt to the shift in required skills.
The matric classes of 2018 have completed their schooling in the information age and we should be equipping them, and future generations, for the future market – AI is central to this.