Software

WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

WhatsApp desktop application versions prior to 0.3.9309 are affected by the newly reported vulnerability

HIGHLIGHTS
  • WhatsApp desktop application vulnerability is classed as “high”
  • It impacted WhatsApp Web client to some extent as well
  • WhatsApp users are recommended to install the latest desktop version

WhatsApp has been discovered to have a critical vulnerability that could have allowed attackers to remotely access files from a Windows or Mac computer. The vulnerability, which has been fixed by Facebook, could be exploited using the WhatsApp desktop application. It was a mix of multiple high-severity flaws that existed within the WhatsApp desktop application. Some of those flaws were also a part of the WhatsApp Web client that works on Web browsers. The vulnerability essentially allowed for cross-site scripting (XSS) that could be used by remote attackers.

PerimeterX researcher Gal Weizman discovered the WhatsApp vulnerability that has been tracked as CVE-2019-18426. The researcher stated that the security loophole existed within the Content Security Policy (CSP) of WhatsApp that allowed for XSS attacks on the desktop app. The flaw in the CSP also impacted the WhatsApp Web client to some extent as it provided space to alter rich preview banners with malicious content.

The researcher in a blog post mentioned that the Web client was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to WhatsApp users.

However, the scope of the loophole is found to be quite wider on the WhatsApp desktop application over what was discovered on its Web client. The researcher found that he was able to read the file system and identify the remote code execution (RCE) potential on the desktop application. The only thing that the affected WhatsApp users had to do was to click on the specially crafted message to provide backdoor access to attackers.