A critical security issue has been discovered in the desktop client of WhatsApp that could allow remote hackers access to your desktop files on Windows or Mac computer when paired with an iPhone. However, the vulnerability has now been fixed by the messaging service’s parent company, Facebook.
Discovered by PerimeterX cybersecurity researcher, Gal Weizman, the vulnerability dubbed as ‘CVE-2019-18426’ resided in WhatsApp Web, which also powers its Electron-based cross-platform apps for desktop operating systems.
Also Read- WhatsApp Web: How To Use On PC
“A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” reads the description of the WhatsApp vulnerability provided in the U.S. National Vulnerability Data (NVD).
In his blog post, Weizman mentioned that WhatsApp Web was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to targeted WhatsApp users.
Weizman discovered a loophole in WhatsApp’s Content Security Policy (CSP), which basically allowed for cross-site scripting (XSS) on the desktop application. He was able to read the local file system of a recipient by sending a single message and identify the remote code execution (RCE) potential on the desktop application.
The only thing that the affected WhatsApp user had to do was to view the malicious message over the browser. This would have given backdoor access to remote attackers to execute arbitrary code in the context of WhatsApp’s web domain.
“CSP rules are super important and could have prevented a big part of this mess. If the CSP rules were well configured, the power gained by this XSS would have been much smaller. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more.”
According to Weizman, WhatsApp should not use older version of Google’s Chromium-browser platform to avoid such flaws.
The vulnerability was patched by Facebook last year after receiving an alert from Weizman.
Speaking about the vulnerability, a WhatsApp spokesperson said, “We regularly work with leading security researchers to stay ahead of potential threats to our users. In this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop. The bug was promptly fixed and has been applied since mid-December.”
Since the company has fixed the flaw, it is recommended that users should update both their WhatsApp desktop app as well as the phone app on their Android or iOS device to avoid any issues.