WhatsApp, serious security flaw on the desktop version: How to protect yourself
The vulnerability allows an attacker, by creating a message with particular characteristics, to access the files on the system.
Facebook has issued a warning for a security flaw in WhatsApp Desktop that can allow an attacker to take advantage of the cross-site scripting technique to access files on Mac or Windows desktop/notebook systems using a specially constructed message.
The attacker could, in this way, be able to recover the contents of the files on the computer of the user who is at the other end of the communication channel and to whom the message is sent, and potentially perform other illegal actions.
The flaw was discovered by PerimeterX security researcher Gal Weizman and is the result of a vulnerability in the way the Whatsapp desktop implementation was conducted using the Electron framework, which had previously shown some security issues in the past.
An electron is a tool that developers can use to easily build cross-platform applications based on Web and browser technologies. Still, it is as safe as the components that the developers set up within the apps they are building with this framework.
Weizman first identified WhatsApp cross-site scripting vulnerabilities in 2017, when he discovered the possibility of tampering with message metatads, making fake preview banners from links to web pages and creating URLs capable of obfuscating an intention hostile within WhatsApp messages.
The researcher continued his investigation into the Whatsapp client, discovering that he could inject JavaScript code into the messages, code that would then be executed within WhatsApp Desktop to obtain access to the local filesystem in this way using the JavaScript API Fetch.
All this was possible because the vulnerable versions of WhatsApp Desktop were developed using an old version, known for some vulnerabilities, of the Google Chrome browser engine. Newer versions of Chromium detect and neutralize malicious code.
The vulnerability affects versions of WhatsApp Desktop from 0.3.9309 and earlier, combined with the iPhone app from version 2.20.10 and earlier. Facebook has released new versions of WhatsApp desktop that use the enhanced browser component.
” We regularly work with leading cybersecurity researchers to detect potential threats to our users in advance. In this case, we have resolved an issue that could theoretically have had an impact on iPhone users who clicked on a malicious link. While using WhatsApp from a desktop. The bug was promptly resolved through an update implemented since mid-December ” is the official position expressed by WhatsApp through a spokesperson. “