WhatsApp has been discovered to have a critical vulnerability that could have allowed attackers to remotely access files from a Windows or Mac computer. The vulnerability, which has been fixed by Facebook, could be exploited using the WhatsApp desktop application. It was a mix of multiple high-severity flaws that existed within the WhatsApp desktop application. Some of those flaws were also a part of the WhatsApp Web client that works on Web browsers. The vulnerability essentially allowed for cross-site scripting (XSS) that could be used by remote attackers.
PerimeterX researcher Gal Weizman discovered the WhatsApp vulnerability that has been tracked as CVE-2019-18426. The researcher stated that the security loophole existed within the Content Security Policy (CSP) of WhatsApp that allowed for XSS attacks on the desktop app. The flaw in the CSP also impacted the WhatsApp Web client to some extent as it provided space to alter rich preview banners with malicious content.
The researcher in a blog post mentioned that the Web client was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to WhatsApp users.
However, the scope of the loophole is found to be quite wider on the WhatsApp desktop application over what was discovered on its Web client. The researcher found that he was able to read the file system and identify the remote code execution (RCE) potential on the desktop application. The only thing that the affected WhatsApp users had to do was to click on the specially crafted message to provide backdoor access to attackers.
The researcher demonstrated an attack that could take place using the vulnerability by showing a screenshot highlighting the content of the hosts file fetched from a victim's computer remotely using the WhatsApp desktop application.
Facebook patched the vulnerability upon receiving an alert from Weizman last year. Moreover, the vulnerability is classed as “high”.
"A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message," reads the description of the WhatsApp vulnerability provided in the US National Vulnerability Data (NVD).
Late last month, the NVD site revealed that WhatsApp disclosed as many as 12 vulnerabilities in 2019, including seven “critical” ones. The number of vulnerabilities disclosed was significantly higher than the one or two security flaws the instant messaging app reported in the past few years.