• January 25, 2022

WhatsApp Desktop Platform Security Flaw Allowed Access To Local File System

A researcher found numerous security flaws in the WhatsApp Desktop platform for both Windows and macOS. The vulnerabilities could allow an attacker access to the local file system.

WhatsApp For Desktop Flaws Discovered

Security researcher Gal Weizman from PerimeterX has find out numerous security flaws in the WhatsApp Desktop Platform. As revealed in his report, these vulnerabilities could allow an adversary to get access to the local file system.

In brief, when he started testing WhatsApp, he found two vulnerabilities that affected all main WhatsApp platforms. That’s, WhatsApp for Android, iOS, Mac, Windows, and web versions. These vulnerabilities weren’t hard to exploit but certainly had a malicious impact.

One of these was a simple alteration of text messages via WhatsApp Web by altering 1 line of code. Whereas, the additional vulnerability allowed changing banners of the links shared in WhatsApp conversations. This alteration could allow an adversary to redirect users to malicious links by displaying them false banners and misleading messages with them.

The researcher could continue the exploitation of the bugs from the simple open-redirects to attain persistent XSS whilst bypassing the WhatsApp Content Security Policy (CSP) and, further, to achieve read access to the local file system.

It had been all possible since WhatsApp was not running on the latest version of Electron – a Chromium-based app that facilitates in building native apps. Since the XSS existed in the old Chromium versions, the old Electron versions also became vulnerable to such attacks. As stated by the researcher,

If WhatsApp would have updated their Electron web application from 4.1.4 to the latest which was 7.x.x at the time this vulnerability was found(!) – this XSS would never have existed!

Such exploitation also had the potential for remote code execution.

Precise information regarding the exploitation are available in his article.

Facebook Patched The Vulnerabilities

Facebook has also confirmed the existence of these vulnerabilities (CVE-2019-18426) in the WhatsApp Desktop platform. As stated in their advisory,

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

Facebook confirmed that the vulnerability affected “WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10”.

0 0 votes

Read Previous

Joker’s laughing: Fresh database of half of a million Indian credit card information on sale in the Dark Web

Read Next

A dark web tycoon pleads guilty. But how was he caught?

Inline Feedbacks
View all comments