Up to 200,000 users of WhatsApp’s web-based service may have been hit in a cyberattack that let hackers compromise personal data using just their phone number.
WhatsApp Web is a service that allows people to access the messaging service via a browser on a smartphone or computer, rather than the app.
Hackers were sending so called vCard’s to random phone numbers they had obtained, according to Check Point, a security firm that originally found the vulnerability.
A vCard is an electronic contact card that you can send to another person. For example, if somebody wanted the number of someone in your phone’s contact book, you could send the vCard over and the other person would have all the details. The vCard sent by the hackers contained a malicious code that would distribute bots, ransomware and remote access tools (RATs) on a person’s phone or PC.
Bots can slow down a person’s system, ransomware makes people pay money to regain access to their own data, while RATs allows hackers to remotely access a device.
The vulnerability was first disclosed to WhatsApp on August 21 and fixed by August 27. The public disclosure was made on Tuesday.
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client,” Oded Vanunu, security research group manager at Check Point, wrote in a blog post.
WhatsApp recently announced it had reached 900 million active users with around 200 million estimated to be using the web-based version.