WhatsApp patched a security loophole in its desktop apps last month that could have potentially allowed hackers to access your computer’s local files. Discovered by a cybersecurity researcher at PerimeterX, the vulnerability affected the messaging service’s Windows and Mac clients when they were paired with an iPhone.
When combined together, the reported issues could have even enabled hackers to remotely steal files from the Windows or Mac computer of a victim using the WhatsApp desktop app by merely sending a specially crafted message.
In a blog post published today, Weizman revealed that WhatsApp Web was vulnerable to a potentially dangerous open-redirect flaw that led to persistent cross-site scripting attacks, which could have been triggered by sending a specially crafted message to the targeted WhatsApp users.
“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” parent company Facebook wrote in a security advisory.
The bug affects WhatsApp Desktop builds prior to v0.3.9309 and WhatsApp for iPhone versions prior to 2.20.10. It was fixed on 21st January 2020. Therefore, to ensure you’re safe, go ahead and update the WhatsApp app on your computer and iPhone.
The vulnerability oddly doesn’t impact Android phone owners. We’ve reached out to PerimeterX to understand why it’s an iOS-exclusive issue and will update the story once we hear back.