Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone.

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone.

Tracked as CVE-2019-18426 and considered high severity (CVSS score 8.2), the security bug could be exploited by sending to the victim a specially crafted text message that included a link preview. Both Windows and macOS users were impacted.

The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who said he found multiple issues in WhatsApp Desktop, starting with an open redirect into persistent XSS and Content Security Policy (CSP) bypass, and then a “cross platforms read from the local file system.”WhatsApp vulnerability

What the security researcher found was that he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

One of the main issues Weizman identified was that an attacker could modify WhatsApp reply messages to include quotes of messages the recipient never sent.

He also discovered that, because the banners WhatsApp displays when links are included in the body of a message are generated on the sender side, an attacker could alter the properties of these banners to hide the actual site the user is taken to when clicking on the link.

By tricking the user into clicking on a banner that hides a link featuring JavaScript URI, one could achieve persistent XSS, the researcher says. The trick, however, would not work on Chromium-based browsers, as they include a defense mechanism to prevent such attacks.

Through an XSS attack, the researcher was then able to run external code. For that, he crafted a message to load an iframe that would display a notification with the content of the external code on the top window, where the XSS executes, and have the code run in the context of whatsapp.com.

The WhatsApp Desktop applications for Windows and macOS are written using the Electron platform, which is Chromium-based, meaning that they should have been protected from the XSS attack.

Advertisement. Scroll to continue reading.

However, because the apps were still based on a vulnerable version of Chrome — they used Chrome 69 when the latest stable version of Chrome was 78 — WhatsApp’s desktop users were exposed, the researcher explains.

“Since Chromium 69 is relatively old, exploiting a 1-day RCE is possible! There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution achieved,” Weizman points out.

The researcher says he did not attempt any code execution attacks, but that he was able to use the fetch() API to read files from the local file system.

“For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple javascript resource worked,” the researcher notes.

In an advisory, Facebook revealed that WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10 were affected by the vulnerability. The security researcher was awarded a $12,500 bug bounty for his findings.

Related: WhatsApp Vulnerability Allows Code Execution Via Malicious MP4 File

Related: Vulnerability in WhatsApp Allows Attackers to Crash Group Chats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.