The flaw that Check Point discovered is that an attacker could potentially send a WhatsApp Web user a vCard that includes malicious code. A vCard is an industry-standard format for business card information. According to Check Point, the unpatched WhatsApp Web interface enabled the malicious vCard to open on the user’s device as an executable, which could have included malware.
The root cause of the vCard flaw that Check Point reported to WhatsApp is that the system did not properly filter input from the contact cards. Check Point security researcher Kasif Dekel was able to intercept the Extensible Messaging and Presence Protocol (XMPP) message requests sent to the WhatsApp servers in order to manipulate the vCard files.