WhatsApp flaw gave attackers access to local files

Does have a lot of vulnerabilities or are there simply a lot of people looking for them?

Ask PerimeterX researcher Gal Weizman, who last year set about poking the world’s most popular messaging platform to see whether he could turn up any new weaknesses.

Sure enough, this week we learned that he uncovered a clutch of vulnerabilities that led him to a tasty cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone.

Patched this week as CVE-2019-18426, it’s the sort of weakness iPhone WhatsApp desktop users will be glad to see the back of.

The immediate problem was caused by a gap in WhatsApp’s Content Security Policy (CSP), a security layer used to protect against common types of attack, including XSS.

Using modified JavaScript in a specially crafted message, an attacker could exploit this to feed victims phishing and malware links in weblink previews in ways that would be invisible to the victim.

According to Weizman, this is probably remotely exploitable although the users would still need to click on the link for an attack to succeed.

However, it could also be used to gain read permission to the file system, that is the ability to access and open files and, potentially, for remote code execution (RCE).

You might also like More from author

Comments are closed.