WhatsApp Flaw Could Have Let Hackers Access Files On PCs

A cybersecurity researcher today disclosed technical details of multiple high severity vulnerabilities he discovered in WhatsApp, which, if exploited, could have allowed remote attackers to compromise the security of billions of users in different ways.


1 min read
WhatsApp Flaw Could Have Let Hackers Access Files On PCs

WhatsApp patched a security loophole in its desktop apps last month that could have potentially allowed hackers to access your computer’s local files. Discovered by a cybersecurity researcher at PerimeterX, the vulnerability affected the messaging service’s Windows and Mac clients when they were paired with an iPhone.

When combined together, the reported issues could have even enabled hackers to remotely steal files from the Windows or Mac computer of a victim using the WhatsApp desktop app by merely sending a specially crafted message.

In a blog post published today, Weizman revealed that WhatsApp Web was vulnerable to a potentially dangerous open-redirect flaw that led to persistent cross-site scripting attacks, which could have been triggered by sending a specially crafted message to the targeted WhatsApp users.

“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” parent company Facebook wrote in a security advisory.

The bug affects WhatsApp Desktop builds prior to v0.3.9309 and WhatsApp for iPhone versions prior to 2.20.10. It was fixed on 21st January 2020. Therefore, to ensure you’re safe, go ahead and update the WhatsApp app on your computer and iPhone.

“Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities,” explained PerimeterX’s founder and CTO, Ido Safruti.

The vulnerability oddly doesn’t impact Android phone owners. We’ve reached out to PerimeterX to understand why it’s an iOS-exclusive issue and will update the story once we hear back.

GO TOP

🎉 You've successfully subscribed to Hack Hex!
OK