WhatsApp bug may have allowed attackers to remotely access files on Desktop

New Delhi : WhatsApp has discovered a bug in their program that may have allowed hackers to access users files remotely from their desktops. The vulnerability, which has been fixed by Facebook, could be exploited using the WhatsApp desktop application. The vulnerability essentially allowed for cross-site scripting (XSS) that could be used by remote attackers.

PerimeterX researcher Gal Weizman has claimed that the WhatsApp vulnerability has been tracked as CVE-2019-18426. He claimed that the loophole existed within the Content Security Policy (CSP) of WhatsApp that allowed for XSS attacks on the desktop app.

The researcher in a blog post mentioned that the Web client was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to WhatsApp users.

He also claimed that via bug he was able to access the file system and identify the remote code execution (RCE) potential on the desktop application.

"For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple JavaScript resource worked," Weizman explained in the blog post.

(Image: PerimeterX)

Soon after receiving the alert, the bug was patch-fixed by the company. "A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message," reads the description of the WhatsApp vulnerability provided in the US National Vulnerability Data (NVD).