WhatsApp desktop client exposes remote file access and code execution vulnerabilities

Facebook has just fixed a serious security vulnerability in whatsApp’s desktop platform, eliminating the risk of allowing an attacker to read files from a local file system on Windows/Mac and even perform remote code. The vulnerability was discovered by security researchers Gal Weizman and PerimeterX, and the National Institute of Standards and Technology (NIST) assessed a severity rating of 8.2.

WhatsApp desktop client exposes remote file access and code execution vulnerabilities

(Instagram via TechSpot)

As early as 2017, researchers have found a problem that can change the responses of others. Weizman realized that he could use rich media to make fake messages and redirect the target to his designated location.

Security researchers further confirmed this, using JavaScript to achieve a one-click persistent cross-station script attack (XSS).

The result is to bypass WhatsApp’s CPS rules to enhance attack capability and even implement remote code execution.

After some digging, the researchers realized that all this was possible. Because Facebook offers a version of the WhatsApp desktop app, it’s officially based on an outdated version of Chrome 69.

The problem came to light when Chrome 78 was officially launched, and the javascript features used in earlier releases have been patched.

If WhatsApp updates its Electron web application from 4.1.4 to the latest version (7.x.x) when the vulnerability was discovered, XSS will no longer exist.

Facebook says the CVE-2019-18426 vulnerability affects WhatsApp desktop clients before 0.3.9309 and iPhone clients before 2.20.10.

For more information about the vulnerability, move to The Perimeter Weizman’s X blog post.