Last month, WhatsApp fixed a bug in its desktop app that allowed attackers to read files from your computer. A post published by security firm PerimeterX last night suggests the bug affected folks who used either WhatsApp’s Mac or Windows app paired with an iPhone.

The company’s security researcher, Gal Weizman, found vulnerabilities in WhatsApp’s Content Security Policy (CSP) that could be exploited to send manipulated messages and links using Cross-Site Scripting (XSS). He was able to take advantage of these flaws to send malicious code or read files from a computer’s local file system. That could’ve been quite harmful if someone stored sensitive documents on their machine. 

[Read: WhatsApp no longer works on millions of (very) old phones]

The researcher was able to find and manipulate code from where messages are formed in the desktop app. He proceeded to forge a banner with a link preview to include a potentially malicious link.

Credit: PerimeterX
Forged WhatsApp message with a manipulated link

Weizman suggested that WhatsApp shouldn’t use older version of Google’s chromium-browser platform to avoid such flaws. If you’re using WhatsApp on an iPhone and through its desktop app, you should update both, just to be safe. 

You can read the technical details of how Weizman was able to bypass WhatsApp’s CSP here.

https://platform.twitter.com/widgets.js

https://thenextweb.com/security/2020/02/05/whatsapp-fixed-a-bug-in-its-desktop-app-that-allowed-access-to-files-on-your-computer/

Leave a Reply