Terrifying bug in WhatsApp allows hackers to steal files. So get patching all nine of you using it on the desktop

Dear Facebook, please keep up with Electron and Chromium fixes, ta

A vulnerability in WhatsApp could be exploited to remotely access a victim's files on their computer – if they use the desktop client paired with the iPhone app. A patch has been issued and should be installed.

Bug-hunter Gal Weizman, from security shop PerimeterX, discovered and reported CVE-2019-18426, a cross-site scripting hole that could potentially allow an attacker to get to the local file system of another user simply by sending a specially crafted message. The security bug was fixed in January by Facebook in WhatsApp Desktop version 0.3.9309 and later.

The vulnerability lies in the way the Windows and Mac versions of the instant-messaging app handle so-called banners, or previews of web links in messages. JavaScript code stashed in a maliciously crafted banner can bypass protection mechanisms and access the local file system of the target.

bin Salman

Crown Prince of Saudi Arabia accused of hacking Jeff Bezos' phone with malware-laden WhatsApp message


"On WhatsApp the banner is being generated on the side of the sender and this is an important point to understand," said Weizman. "One can easily tamper with the banner properties before sending it to the receiver."

Weizman added the heart of the flaw lies in the Chromium browser engine in the application framework Electron that WhatsApp relies on to provide a user interface for its desktop client. While the cross-site scripting bug was patched a while back in Chromium, WhatsApp used an old version of Electron that included a vulnerable build of the browser engine.

"Electron is a cool platform that lets you create 'native' applications using standard web features," Weizman explained.

"This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on: Chromium."

In short, WhatsApp's desktop client was built on a version of Electron that used an out-of-date insecure Chromium build, which made it vulnerable to a flaw patched a while back. As a result, users were potentially vulnerable to attack. Users and admins can protect themselves from attack by updating to the latest version of WhatsApp, which is built on a more up-to-date stack. ®

Keep Reading

Big Tech to face its Ma Bell moment? US House Dems demand break-up of 'monopolists' Apple, Amazon, Facebook, Google

'These once scrappy, underdog startups have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons'

At historic Apple, Amazon, Facebook, Google CEOs hearing, congressmen ramble, congresswomen home in on tech market abuse

Analysis We watched six hours of congressional hearings so you didn’t have to

Facebook, Amazon, Apple, Google told: If you could cough up a decade of your internal emails, that'd be great

Oh, and you have four weeks to comply, says US antitrust probe

Google and Facebook abandon Hong Kong landing of new submarine cable

There be dragons, say US authorities, so first planned US-HK cable darkens its last leg

Google Safari Workaround case inspires campaign to sue Facebook in UK's High Court over Cambridge Analytica app

'Facebook You Owe Us' wants to run a not-quite-class-action-style lawsuit

Google, Amazon pass on UK Digital Services Tax by hiking ad prices, fees at same rate the government takes

Which means you get to pay, because cost of ads, sellers' fee hikes are built into prices, so once the tech titans charge more ... you get the drift

Here we go: Uncle Sam launches antitrust probe into *cough* Facebook, Google *cough* Amazon *splutter* Twitter...

No names given, probably because we all know who they're talking about

If you're on invite-only tech-testing scheme, take care with Amazon's Alexa-powered answer to Google's Glass

iFixit reveals repair won't be trivial

Biting the hand that feeds IT © 1998–2020