Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone.
Tracked as CVE-2019-18426 and considered high severity (CVSS score 8.2), the security bug could be exploited by sending to the victim a specially crafted text message that included a link preview. Both Windows and macOS users were impacted.
The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who said he found multiple issues in WhatsApp Desktop, starting with an open redirect into persistent XSS and Content Security Policy (CSP) bypass, and then a “cross platforms read from the local file system.”
What the security researcher found was that he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.
One of the main issues Weizman identified was that an attacker could modify WhatsApp reply messages to include quotes of messages the recipient never sent.
He also discovered that, because the banners WhatsApp displays when links are included in the body of a message are generated on the sender side, an attacker could alter the properties of these banners to hide the actual site the user is taken to when clicking on the link.
By tricking the user into clicking on a banner that hides a link featuring JavaScript URI, one could achieve persistent XSS, the researcher says. The trick, however, would not work on Chromium-based browsers, as they include a defense mechanism to prevent such attacks.
Through an XSS attack, the researcher was then able to run external code. For that, he crafted a message to load an iframe that would display a notification with the content of the external code on the top window, where the XSS executes, and have the code run in the context of whatsapp.com.
The WhatsApp Desktop applications for Windows and macOS are written using the Electron platform, which is Chromium-based, meaning that they should have been protected from the XSS attack.
However, because the apps were still based on a vulnerable version of Chrome — they used Chrome 69 when the latest stable version of Chrome was 78 — WhatsApp’s desktop users were exposed, the researcher explains.
“Since Chromium 69 is relatively old, exploiting a 1-day RCE is possible! There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution achieved,” Weizman points out.
The researcher says he did not attempt any code execution attacks, but that he was able to use the fetch() API to read files from the local file system.
“For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple javascript resource worked,” the researcher notes.
In an advisory, Facebook revealed that WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10 were affected by the vulnerability. The security researcher was awarded a $12,500 bug bounty for his findings.
Related: WhatsApp Vulnerability Allows Code Execution Via Malicious MP4 File
Related: Vulnerability in WhatsApp Allows Attackers to Crash Group Chats