I wonder why this should only be exploitable on the WhatsApp web application. If it is possible to trick browsers into launching arbitrary applications by using vcards, this should affect many web application using vcards and the the security issue would have been in the browser side of things. What am i missing?