A vulnerability in WhatsApp could be exploited to remotely access a victim's files on their computer – if they use the desktop client paired with the iPhone app. A patch has been issued and should be installed.
Bug-hunter Gal Weizman, from security shop PerimeterX, discovered and reported CVE-2019-18426, a cross-site scripting hole that could potentially allow an attacker to get to the local file system of another user simply by sending a specially crafted message. The security bug was fixed in January by Facebook in WhatsApp Desktop version 0.3.9309 and later.
Crown Prince of Saudi Arabia accused of hacking Jeff Bezos' phone with malware-laden WhatsApp messageREAD MORE
"On WhatsApp the banner is being generated on the side of the sender and this is an important point to understand," said Weizman. "One can easily tamper with the banner properties before sending it to the receiver."
Weizman added the heart of the flaw lies in the Chromium browser engine in the application framework Electron that WhatsApp relies on to provide a user interface for its desktop client. While the cross-site scripting bug was patched a while back in Chromium, WhatsApp used an old version of Electron that included a vulnerable build of the browser engine.
"Electron is a cool platform that lets you create 'native' applications using standard web features," Weizman explained.
"This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on: Chromium."
In short, WhatsApp's desktop client was built on a version of Electron that used an out-of-date insecure Chromium build, which made it vulnerable to a flaw patched a while back. As a result, users were potentially vulnerable to attack. Users and admins can protect themselves from attack by updating to the latest version of WhatsApp, which is built on a more up-to-date stack. ®