back to article Oh snap! Yap app WhatsApp chaps zap .BAT trap in hack flap

The web version of phone chat app WhatsApp – yes, there's a web version – allowed internet lowlifes to fire off malware at potentially millions of PCs, apparently. WhatsApp Web runs in your browser, and allows you to message friends and follow conversations just as you would on your mobe. We're told Check Point security …

  1. BillG
    Facepalm

    During Kasif’s research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file.

    So WhatsApp's programmers do not even bother to check that the file is a valid vCard format???

    Thankfully, El Reg has the appropriate icon for this laughable excuse for security.

    1. Old Handle

      It doesn't say, but they're both text format, so it should be possible to make a file that is valid as either... at least for a somewhat lax definition of valid.

      1. Vic

        at least for a somewhat lax definition of valid.

        ...at least for a very lax definition of valid.

        Vcards aren't exactly difficult to parse - at least to the point where a batch file would be unusable. But the app didn't bother.

        Vic.

        1. Old Handle

          But legit vcards could easily have unrecognized fields in them. I would imagine simply ignoring these is a fairly common implementation. Sloppy maybe, but rejecting the whole thing isn't that good either.

          1. Vic

            But legit vcards could easily have unrecognized fields in them.

            Doesn't matter.

            It's still a trivial matter to determine whether a particular file is a vCard - with or without unrecognised fields. And if it looks like such a vCard, it isn't going to be a batch file. It's that simple - even a partial parsing would entirely obviate this attack.

            Vic.

            1. Old Handle
              Facepalm

              Are you sure?

              BEGIN:VCARD

              VERSION:2.1

              N:Gump;Forrest

              FN:Forrest Gump

              ORG:Bubba Gump Shrimp Co.

              TITLE:Shrimp Man

              PHOTO;GIF:http://www.example.com/dir_photos/my_photo.gif

              TEL;WORK;VOICE:(111) 555-1212

              TEL;HOME;VOICE:(404) 555-1212

              C:\\windows\\system32\\msg.exe * Thunderstruck

              ADR;WORK:;;100 Waters Edge;Baytown;LA;30314;United States of America

              LABEL;WORK;ENCODING=QUOTED-PRINTABLE:100 Waters Edge=0D=0ABaytown, LA 30314=0D=0AUnited States of America

              ADR;HOME:;;42 Plantation St.;Baytown;LA;30314;United States of America

              LABEL;HOME;ENCODING=QUOTED-PRINTABLE:42 Plantation St.=0D=0ABaytown, LA

              30314=0D=0AUnited States of America

              EMAIL;PREF;INTERNET:forrestgump@example.com

              REV:20080424T195243Z

              END:VCARD

              1. Vic

                Yes, I'm sure.

                C:\\windows\\system32\\msg.exe * Thunderstruck

                That line is trivially discovered by a simple regex. This is schoolboy stuff.

                Vic.

                1. Old Handle

                  Re: Yes, I'm sure.

                  How exactly? Aside from the fact the "C" isn't a recognized property (as we discussed earlier), it's perfectly valid vCard format. It is schoolboy stuff though, I agree. I'm sure someone more skilled with batch could find a more devious way to hide it.

                  1. Vic

                    Re: Yes, I'm sure.

                    it's perfectly valid vCard format.

                    Only if you treat it as a folded line - in which case, concatenating it to the previous line sorts out the immediate issue.

                    Vic.

                    1. Old Handle

                      Re: Yes, I'm sure.

                      So now you're saying they have to not only check that it's a valid vcard, but modify before delivery?

                      1. Vic

                        Re: Yes, I'm sure.

                        So now you're saying they have to not only check that it's a valid vcard, but modify before delivery?

                        No, I'm saying that, in the event that some of it is unrecognised, there is a trivial modification that entirely obviates the problem. Said modification needs to be performed to parse the vCard anyway, as per the spec.

                        So now you can go and give me more downvotes because you don't want to read up on this very simple (if somewhat flawed) file format.

                        Vic.

                        1. Old Handle

                          Are you still sure?

                          I did read that, in fact. But it turns out there's something even more important that we both failed to read:

                          The original attack description

                          As I suggested, someone more skilled in batch found a better way to hide it. It turns out there's no need for folding, escaped backslashes or any of that. All you need is the & sign.

                          FN:John Doe & msg * Hacked

                          So there you have it. And please, if you're going to claim this is also invalid vcard format and "trivially discovered", explain why and how this time.

  2. Marc 25

    I'm guessing I-Fruit owners will be unaffected as batch files don't work in IOS?

    1. The Bam

      They don't work in Android either. This is an attack on Windows machines.

  3. Anonymous Coward
    Anonymous Coward

    Calm down with the the rhyming Dr. Seuss...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021