About a month ago, WhatsApp fixed a bug on its desktop application that allowed attackers to read files from the targeted user’s computer. Now, new information suggests that the bug may have affected who used WhatsApp’s desktop application for Mac or Windows. Further, the bug has likely affected people who paired the desktop application with an iPhone.
The post was published by security firm PerimeterX. Gal Weizman, the company’s security researcher, found vulnerabilities in the app’s Content Security Policy (CSP). The vulnerability could be exploited to send manipulated messaged and links using Cross-Site Scripting (XSS).
Watch: Top Asus laptops launching in 2020
Though the loophole existed on both, it had a wider scope for attackers on the WhatsApp desktop application. The researcher saw that it was possible to read the file system and identify the remote code execution (RCE) potential on the desktop application. Moreover, all the method needed to trick users was a specially crafted message that users would click on.
Weizman also took advantage of the flaws to do a test. He himself send malicious code and was able to read files from a computer’s local file system. Hence, he proved that the method can be used to extract sensitive documents from a machine running WhatsApp‘s desktop application. Weizmann was also able to find code and change it where messages on the desktop app are found. He even went ahead and forged a banner. The banner contained a link preview but also included a potentially malicious link.
The researcher suggested that WhatsApp should not be using the older version of Google’s Chromium platform to avoid such flaws. Moreover, it is a good idea to update both the desktop and your phone to avoid leaving the possibility of an attack. Moreover, you must definitely take care of this if you use an iPhone with the Desktop app.