{"id":4552,"date":"2015-02-10T10:00:32","date_gmt":"2015-02-10T15:00:32","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4552"},"modified":"2020-02-26T18:59:36","modified_gmt":"2020-02-26T14:59:36","slug":"scams-and-bugs-and-whatsapp-web","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/scams-and-bugs-and-whatsapp-web\/4552\/","title":{"rendered":"Bugs and Scams and WhatsApp Web"},"content":{"rendered":"<p>The <a href=\"https:\/\/www.kaspersky.com\/blog\/facebook-acquires-whatsapp-consequences-for-service-users\/\" target=\"_blank\" rel=\"noopener nofollow\">popular mobile messaging service WhatsApp<\/a> released WhatsApp Web late last month. The service will allow users to run WhatsApp on their favorite Web browser \u2014 so long as their favorite browser is Google Chrome and they aren\u2019t trying to pair their WhatsApp Web account with an iPhone.<\/p>\n<p>As always, Kaspersky Daily is mostly interested in <a href=\"https:\/\/threatpost.com\/spammers-take-a-liking-to-whatsapp-mobile-app\/110496\" target=\"_blank\" rel=\"noopener nofollow\">WhatsApp Web\u2019s security posture<\/a>. And while the service has only been publicly available for less than one month, we\u2019re already seeing some vulnerabilities and security incidents emerge.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/02\/05111843\/WhatsApp-for-Web-vulnerabilities-1-1024x768.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7431\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/02\/05111843\/WhatsApp-for-Web-vulnerabilities-1-1024x768.png\" alt=\"WhatsApp for Web vulnerabilities\" width=\"1067\" height=\"800\"><\/a><\/p>\n<p>Indrajeet Bhuyan, a 17-year old tech blogger and security researcher out of India, found a pair of interesting but ultimately uncritical, bugs that exist in the interplay between WhatsApp Web and the original mobile variety. To be clear, the web client is merely an extension of the WhatsApp mobile application, mirroring conversations from the mobile device and displaying them on Chrome, according to a WhatsApp blog post. Users will only be able to use WhatsApp Web if their non-iOS mobile device is connected to the Internet.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>The @Kaspersky Daily team takes a look around to examine #security within the new @WhatsApp Web service<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FG3WN&amp;text=The+%40Kaspersky+Daily+team+takes+a+look+around+to+examine+%23security+within+the+new+%40WhatsApp+Web+service\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>It\u2019s likely that most WhatsApp Web bugs will, in some way, relate to the mobile application, which Bhuyan\u2019s bugs demonstrate pretty nicely.<\/p>\n<p>One of the bugs that Bhuyan discovered relates to deleted photos and the way synching works between the mobile and web apps. If a user has WhatsApp paired with the new Web service and deletes a photo, the photo will be effectively deleted within the mobile application. However, according to Bhuyan, any deleted photos will remain visible on the Web client. Messages on the other hand, once deleted on the mobile app, are deleted on the Web app as well.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/vxEi2E5Wnew?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>The other bug that Bhuyan uncovered has to do with profile privacy options. Users can make it so that their profile pictures are visible to everyone, just the user\u2019s contacts, or nobody at all. If you choose to only allow your contacts to see your profile picture, Bhuyan claims, it is accidentally revealed to anyone that wants to see it on the Web app. You can see for yourself in the following video:<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/xJaqQ5gYNMM?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Bhuyan <a href=\"http:\/\/www.hackatrick.com\/2015\/02\/multiple-vulneribilities-found-in.html\" target=\"_blank\" rel=\"noopener nofollow\">posted a brief analysis of his research<\/a> on his own blog, where he\u2019s been posting tech-related stories since he was 14. He claims to have contacted WhatsApp and that they are working on it. Kaspersky Daily reached out to WhatsApp, but they did not respond to our request for comment.<\/p>\n<p>Kaspersky Lab researcher Fabio Assolini has been tracking scams exploiting public interest in the platform. One such scam, according to a <a href=\"https:\/\/securelist.com\/blog\/research\/68631\/whatsapp-for-web-in-the-sight-of-cybercriminals\/\" target=\"_blank\" rel=\"noopener\">write-up on Securelist<\/a>, mimics the WhatsApp installation page, but installs a shady Google Chrome extension instead of the proper plug-in. In order to install WhatsApp Web, users need to visit web.whatsapp.com and take a picture of the QR code there on a mobile device. Of course, the scammers here deploy a lookalike website with a malicious QR code to infect users.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/WhatsApp?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#WhatsApp<\/a> for Web in the sight of <a href=\"https:\/\/twitter.com\/hashtag\/cybercriminals?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#cybercriminals<\/a> <a href=\"http:\/\/t.co\/INhWBt0xlo\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/INhWBt0xlo<\/a> via <a href=\"https:\/\/twitter.com\/Securelist?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@securelist<\/a> by <a href=\"https:\/\/twitter.com\/assolini?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@assolini<\/a> <a href=\"http:\/\/t.co\/5NtU1vG5zF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/5NtU1vG5zF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/564427291791728641?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In fact, Assolini explains that scams revolving around a desktop version of WhatsApp long pre-date the availability of WhatsApp Web. He says he\u2019s noticed several malicious domains peddling Brazilian banking trojans disguised as fake versions of WhatsApp for Windows.<\/p>\n<div class=\"pullquote\">If you\u2019re going to install WhatsApp Web, make sure you go to the correct website<\/div>\n<p>Assolini found yet another criminal group exploiting interest in WhatsApp Web client in order to gather phone numbers for premium-rate SMS scams that sign up mobile numbers for text services, for which users are billed and criminals are paid.<\/p>\n<p>We look forward to learning how WhatsApp Web\u2019s security stacks up against <a href=\"https:\/\/www.kaspersky.com\/blog\/nine-secure-messengers\/\" target=\"_blank\" rel=\"noopener nofollow\">other messaging services<\/a>.<\/p>\n<p>Best advice for the moment: If you\u2019re going to install WhatsApp Web, make sure you go to the <a href=\"https:\/\/web.whatsapp.com\/\" target=\"_blank\" rel=\"noopener nofollow\">correct website<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WhatsApp has finally released a Web version of its popular mobile messaging service. We take a look at it from the security perspective.<\/p>\n","protected":false},"author":42,"featured_media":4553,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[80,923,426,43,97,520],"class_list":{"0":"post-4552","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-fraud","9":"tag-messenger","10":"tag-mobile-devices","11":"tag-privacy","12":"tag-security-2","13":"tag-whatsapp"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/scams-and-bugs-and-whatsapp-web\/4552\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/scams-and-bugs-and-whatsapp-web\/4604\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/scams-and-bugs-and-whatsapp-web\/5122\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/scams-and-bugs-and-whatsapp-web\/6879\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/scams-and-bugs-and-whatsapp-web\/7428\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/scams-and-bugs-and-whatsapp-web\/6816\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/scams-and-bugs-and-whatsapp-web\/6879\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/scams-and-bugs-and-whatsapp-web\/7428\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/scams-and-bugs-and-whatsapp-web\/7428\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/fraud\/","name":"fraud"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4552"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4552\/revisions"}],"predecessor-version":[{"id":15981,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4552\/revisions\/15981"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4553"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}