This article is more than 1 year old

Terrifying bug in WhatsApp allows hackers to steal files. So get patching all nine of you using it on the desktop

Dear Facebook, please keep up with Electron and Chromium fixes, ta

A vulnerability in WhatsApp could be exploited to remotely access a victim's files on their computer – if they use the desktop client paired with the iPhone app. A patch has been issued and should be installed.

Bug-hunter Gal Weizman, from security shop PerimeterX, discovered and reported CVE-2019-18426, a cross-site scripting hole that could potentially allow an attacker to get to the local file system of another user simply by sending a specially crafted message. The security bug was fixed in January by Facebook in WhatsApp Desktop version 0.3.9309 and later.

The vulnerability lies in the way the Windows and Mac versions of the instant-messaging app handle so-called banners, or previews of web links in messages. JavaScript code stashed in a maliciously crafted banner can bypass protection mechanisms and access the local file system of the target.

bin Salman

Crown Prince of Saudi Arabia accused of hacking Jeff Bezos' phone with malware-laden WhatsApp message


"On WhatsApp the banner is being generated on the side of the sender and this is an important point to understand," said Weizman. "One can easily tamper with the banner properties before sending it to the receiver."

Weizman added the heart of the flaw lies in the Chromium browser engine in the application framework Electron that WhatsApp relies on to provide a user interface for its desktop client. While the cross-site scripting bug was patched a while back in Chromium, WhatsApp used an old version of Electron that included a vulnerable build of the browser engine.

"Electron is a cool platform that lets you create 'native' applications using standard web features," Weizman explained.

"This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on: Chromium."

In short, WhatsApp's desktop client was built on a version of Electron that used an out-of-date insecure Chromium build, which made it vulnerable to a flaw patched a while back. As a result, users were potentially vulnerable to attack. Users and admins can protect themselves from attack by updating to the latest version of WhatsApp, which is built on a more up-to-date stack. ®

More about


Send us news

Other stories you might like