Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp Security Vulnerability (telegraph.co.uk)
34 points by rsobers on Sept 8, 2015 | hide | past | favorite | 5 comments



I wonder why this should only be exploitable on the WhatsApp web application. If it is possible to trick browsers into launching arbitrary applications by using vcards, this should affect many web application using vcards and the the security issue would have been in the browser side of things. What am i missing?


Ok the linked[0] blog post from Check Point has more details into whats actually happening.

[0] http://blog.checkpoint.com/2015/09/08/whatsapp-maliciouscard...


It simply allows you to send arbitrary files. No different to sending a link to a virus over email or putting a link on a Web page.

Stupid/normal users would then try run the downloaded file.


It's a little more guileful than that, and it definitely is a flaw with WhatsApp not validating their file types/formats.


But only a little - you could argue the vast majority of e-mail attachments are .doc etc with parsing bugs rather than straight .exe. Contrary to the gushing "using only their phone number" in the article, they admit that gullibility is required.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: