WhatsApp Web had a flaw which would have allowed an attacker to read files on the desktop. (Image source: Reuters)
A security flaw in WhatsApp Web versions has been highlighted by researcher Gal Weizman, which would have allowed a remote attacker to read files from a user’s desktop thanks to a specifically crafted link sent as a message. Facebook had acknowledged the security vulnerability and issued a fix for the same as well.
Weizman has published a post explaining how it would have been possible to carry out this kind of attack, which typically most researchers do after the flaw has been fixed. The WhatsApp Web flaw is CVE-2019-18426, and according to the description it was impacting WhatsApp Web or the desktop version of the app.
The flaw allowed for “cross-site scripting and local file reading,” when WhatsApp Desktop versions prior 0.3.9309 were paired with WhatsApp for iPhone versions prior to 2.20.10. The vulnerability required the victim to click a link preview from a specially crafted text message, according to the description of the flaw.
Facebook says it impacted WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.
In a statement to indianexpress.com, WhatsApp spokesperson said, “We regularly work with leading security researchers to stay ahead of potential threats to our users. In this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop. The bug was promptly fixed and has been applied since mid December.”
Weizman in his blog post has pointed out how he was able to carry out the cross-site (XSS) attack and also bypass the Content Security Policy (CSP) and read files from the local file system on both Windows and Mac. He managed to do this by sending a malicious link on WhatsApp, which was opened by via WhatsApp Web.
A cross-site attack or XSS attack allows a remote attacker to execute malicious code inside the user’s browser and access their data. Weizman in his attack was also able to bypass WhatsApp’s CSP rules, which are supposed to protect against such cross-site attacks as well.
Weizman discovered he was able to tamper with messages, which had rich preview banners. These banners typically appears when someone sends a link as a message on WhatsApp, and there’s a rich preview for the website.
The researcher also revealed in his blog post that he was able to tamper the banner properties before sending as on WhatsApp, the banner was being generated on the side of the sender. While the vulnerability did not work on Chromimum, on Safari and Edge browser this vulnerability was still wide open, according to him.
While the latest flaw has already been fixed by WhatsApp, it comes at a time when the app faces more scrutiny. Keep in mind there’s no evidence the flaw has been used for any kind of exploit. Still for users it is best to make sure they are on the latest versions of WhatsApp, no matter the platform.