Connecting to LinkedIn...

W1siziisijiwmtuvmdqvmtuvmdgvntqvmzgvnzi1l01ptlrbu0hfqkxpr19vtljftkrfukvex0lnqudfx3jlc2l6zwrfyw5kx3jlbmrlcmvklmpwzyjdlfsiccisinrodw1iiiwimtkymhgxmjuwiyjdxq

Blog

vCard Vulnerability Exposes WhatsApp Users

8/09/2015 by Sharon Shahzad

W1siziisijiwmtuvmdkvmdgvmtuvndgvmzevnjc3l3doyxrzyxbwicgyks5qcgcixsxbinailcj0ahvtyiisijywmhg0mdbcdtawm2uixv0

A vulnerability discovered in WhatsApp Web, the web-based extension of the WhatsApp mobile application, can be exploited by attackers to trick users into executing arbitrary code on their machines.

Discovered by Check Point security researcher Kasif Dekel, the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user. As soon as the seemingly innocent vCard is opened in WhatsApp Web, the malicious code in it can run on the target machine.

This vulnerability allows cybercriminals to compromise the affected computer by distributing all types of malware, including ransomware, bots, and remote access tools (RATs), Check Point’s researcher explains.

The underlying issue lies in the improper filtering of contact cards that are sent using the popular ‘vCard’ format. “By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,” the Check Point researcher explained in a blog post.

An attacker can inject a command in the name attribute of the vCard file, separated by the ‘&’ character. Windows automatically tries to run all lines in the file, including the injection line, when the vCard is opened.

This attack does not require XMPP interception of crafting, due to the fact that anyone can create such a contact with an injected payload, directly on the phone, Check Point notes. As soon as the contact is ready, the attacker only needs to share it through the WhatsApp client to unsuspicious users.

This article has been extracted from http://www.securityweek.com, please click on this link to read the article in full http://www.securityweek.com/vcard-vulnerability-exposes-whatsapp-users

Montash is a multi-award winning global technology recruitment business. Specialising in permanent and contract positions across mid-senior appointments across a wide range of industry sectors and IT functions, including:

ERP Recruitment, BI & Data Recruitment, Information Security Recruitment, Enterprise Architecture & Strategy Recruitment , Energy Technology Recruitment, Demand IT and Business Engagement Recruitment, Digital and E-commerce Recruitment, Leadership Talent, Infrastructure and Service Delivery Recruitment, Project and Programme Delivery Recruitment.

Montash is headquartered in Old Street, London, in the heart of the technology hub. Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid-management in permanent and contract roles.

comments powered by Disqus

Social Stream

Latest News

W1siziisijiwmtcvmdevmtyvmdkvntivmdgvotu5l0nhcmvlci5qcgcixsxbinailcj0ahvtyiisijm4mhgxmdajil1d

What are your career resolutions for 2017?

2017-01-16 09:00:00 +0000

The new year is traditionally a time to make resolutions for personal growth, but how about for your career? Setting goals is important because they provide a map for your career, helping you to organise your time, effort and resources on getting where you want to be. On a broader scale, having obtainable objectives can increase your job satisfaction, boost your self-esteem and improve your overall wellbeing. So, let’s take a look at the resolutions tha...

W1siziisijiwmtcvmdevmtmvmtevmtyvntmvmta1l0j1c2luzxnzieludgvsbglnzw5jzs5qcgcixsxbinailcj0ahvtyiisijm4mhgxmdajil1d

Business Intelligence trends for 2017

2017-01-13 11:00:00 +0000

Business Intelligence (BI) has evolved a lot in recent years, with most experts understanding that it is now far more than just data reporting. There remains a role for data scientists to play when it comes to analysing information, but it’s also increasingly important for every employee in a firm to be able to not only access data but also analyse it. During 2016, there was a wave of new self-service analytical tools developed across sectors, enabling ...