Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone.

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone.

Tracked as CVE-2019-18426 and considered high severity (CVSS score 8.2), the security bug could be exploited by sending to the victim a specially crafted text message that included a link preview. Both Windows and macOS users were impacted.

The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who said he found multiple issues in WhatsApp Desktop, starting with an open redirect into persistent XSS and Content Security Policy (CSP) bypass, and then a “cross platforms read from the local file system.”WhatsApp vulnerability

What the security researcher found was that he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

One of the main issues Weizman identified was that an attacker could modify WhatsApp reply messages to include quotes of messages the recipient never sent.

He also discovered that, because the banners WhatsApp displays when links are included in the body of a message are generated on the sender side, an attacker could alter the properties of these banners to hide the actual site the user is taken to when clicking on the link.

By tricking the user into clicking on a banner that hides a link featuring JavaScript URI, one could achieve persistent XSS, the researcher says. The trick, however, would not work on Chromium-based browsers, as they include a defense mechanism to prevent such attacks.

Through an XSS attack, the researcher was then able to run external code. For that, he crafted a message to load an iframe that would display a notification with the content of the external code on the top window, where the XSS executes, and have the code run in the context of whatsapp.com.

The WhatsApp Desktop applications for Windows and macOS are written using the Electron platform, which is Chromium-based, meaning that they should have been protected from the XSS attack.

However, because the apps were still based on a vulnerable version of Chrome — they used Chrome 69 when the latest stable version of Chrome was 78 — WhatsApp’s desktop users were exposed, the researcher explains.

“Since Chromium 69 is relatively old, exploiting a 1-day RCE is possible! There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution achieved,” Weizman points out.

The researcher says he did not attempt any code execution attacks, but that he was able to use the fetch() API to read files from the local file system.

“For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple javascript resource worked,” the researcher notes.

In an advisory, Facebook revealed that WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10 were affected by the vulnerability. The security researcher was awarded a $12,500 bug bounty for his findings.

Related: WhatsApp Vulnerability Allows Code Execution Via Malicious MP4 File

Related: Vulnerability in WhatsApp Allows Attackers to Crash Group Chats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.