Bugs and Scams and WhatsApp Web

WhatsApp has finally released a Web version of its popular mobile messaging service. We take a look at it from the security perspective.

WhatsApp for Web vulnerabilities

The popular mobile messaging service WhatsApp released WhatsApp Web late last month. The service will allow users to run WhatsApp on their favorite Web browser — so long as their favorite browser is Google Chrome and they aren’t trying to pair their WhatsApp Web account with an iPhone.

As always, Kaspersky Daily is mostly interested in WhatsApp Web’s security posture. And while the service has only been publicly available for less than one month, we’re already seeing some vulnerabilities and security incidents emerge.

Indrajeet Bhuyan, a 17-year old tech blogger and security researcher out of India, found a pair of interesting but ultimately uncritical, bugs that exist in the interplay between WhatsApp Web and the original mobile variety. To be clear, the web client is merely an extension of the WhatsApp mobile application, mirroring conversations from the mobile device and displaying them on Chrome, according to a WhatsApp blog post. Users will only be able to use WhatsApp Web if their non-iOS mobile device is connected to the Internet.

It’s likely that most WhatsApp Web bugs will, in some way, relate to the mobile application, which Bhuyan’s bugs demonstrate pretty nicely.

One of the bugs that Bhuyan discovered relates to deleted photos and the way synching works between the mobile and web apps. If a user has WhatsApp paired with the new Web service and deletes a photo, the photo will be effectively deleted within the mobile application. However, according to Bhuyan, any deleted photos will remain visible on the Web client. Messages on the other hand, once deleted on the mobile app, are deleted on the Web app as well.

The other bug that Bhuyan uncovered has to do with profile privacy options. Users can make it so that their profile pictures are visible to everyone, just the user’s contacts, or nobody at all. If you choose to only allow your contacts to see your profile picture, Bhuyan claims, it is accidentally revealed to anyone that wants to see it on the Web app. You can see for yourself in the following video:

Bhuyan posted a brief analysis of his research on his own blog, where he’s been posting tech-related stories since he was 14. He claims to have contacted WhatsApp and that they are working on it. Kaspersky Daily reached out to WhatsApp, but they did not respond to our request for comment.

Kaspersky Lab researcher Fabio Assolini has been tracking scams exploiting public interest in the platform. One such scam, according to a write-up on Securelist, mimics the WhatsApp installation page, but installs a shady Google Chrome extension instead of the proper plug-in. In order to install WhatsApp Web, users need to visit web.whatsapp.com and take a picture of the QR code there on a mobile device. Of course, the scammers here deploy a lookalike website with a malicious QR code to infect users.

In fact, Assolini explains that scams revolving around a desktop version of WhatsApp long pre-date the availability of WhatsApp Web. He says he’s noticed several malicious domains peddling Brazilian banking trojans disguised as fake versions of WhatsApp for Windows.

If you’re going to install WhatsApp Web, make sure you go to the correct website

Assolini found yet another criminal group exploiting interest in WhatsApp Web client in order to gather phone numbers for premium-rate SMS scams that sign up mobile numbers for text services, for which users are billed and criminals are paid.

We look forward to learning how WhatsApp Web’s security stacks up against other messaging services.

Best advice for the moment: If you’re going to install WhatsApp Web, make sure you go to the correct website.

Tips