• Home
  • Apps
  • Apps News
  • WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

The WhatsApp vulnerability has been tracked as CVE-2019-18426.

Share on Facebook Tweet Snapchat Share Reddit Comment
WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

WhatsApp desktop application versions prior to 0.3.9309 are affected by the newly reported vulnerability

Highlights
  • WhatsApp desktop application vulnerability is classed as “high”
  • It impacted WhatsApp Web client to some extent as well
  • WhatsApp users are recommended to install the latest desktop version

WhatsApp has been discovered to have a critical vulnerability that could have allowed attackers to remotely access files from a Windows or Mac computer. The vulnerability, which has been fixed by Facebook, could be exploited using the WhatsApp desktop application. It was a mix of multiple high-severity flaws that existed within the WhatsApp desktop application. Some of those flaws were also a part of the WhatsApp Web client that works on Web browsers. The vulnerability essentially allowed for cross-site scripting (XSS) that could be used by remote attackers.

PerimeterX researcher Gal Weizman discovered the WhatsApp vulnerability that has been tracked as CVE-2019-18426. The researcher stated that the security loophole existed within the Content Security Policy (CSP) of WhatsApp that allowed for XSS attacks on the desktop app. The flaw in the CSP also impacted the WhatsApp Web client to some extent as it provided space to alter rich preview banners with malicious content.

The researcher in a blog post mentioned that the Web client was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to WhatsApp users.

However, the scope of the loophole is found to be quite wider on the WhatsApp desktop application over what was discovered on its Web client. The researcher found that he was able to read the file system and identify the remote code execution (RCE) potential on the desktop application. The only thing that the affected WhatsApp users had to do was to click on the specially crafted message to provide backdoor access to attackers.

"For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple JavaScript resource worked," Weizman explained in the blog post.

The researcher demonstrated an attack that could take place using the vulnerability by showing a screenshot highlighting the content of the hosts file fetched from a victim's computer remotely using the WhatsApp desktop application.

whatsapp desktop vulnerability screenshot perimeterix WhatsApp

WhatsApp vulnerability on its desktop has been demonstrated
Photo Credit: PerimeterX

 

Facebook patched the vulnerability upon receiving an alert from Weizman last year. Moreover, the vulnerability is classed as “high”.

"A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message," reads the description of the WhatsApp vulnerability provided in the US National Vulnerability Data (NVD).

Late last month, the NVD site revealed that WhatsApp disclosed as many as 12 vulnerabilities in 2019, including seven “critical” ones. The number of vulnerabilities disclosed was significantly higher than the one or two security flaws the instant messaging app reported in the past few years.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Samsung Galaxy A51 Update Brings Camera Stability Improvement, December Security Patch: Report

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com