Facebook has just fixed a serious security vulnerability in whatsApp’s desktop platform, eliminating the risk of allowing an attacker to read files from a local file system on Windows/Mac and even perform remote code. The vulnerability was discovered by security researchers Gal Weizman and PerimeterX, and the National Institute of Standards and Technology (NIST) assessed a severity rating of 8.2.
(Instagram via TechSpot)
As early as 2017, researchers have found a problem that can change the responses of others. Weizman realized that he could use rich media to make fake messages and redirect the target to his designated location.
The result is to bypass WhatsApp’s CPS rules to enhance attack capability and even implement remote code execution.
After some digging, the researchers realized that all this was possible. Because Facebook offers a version of the WhatsApp desktop app, it’s officially based on an outdated version of Chrome 69.
If WhatsApp updates its Electron web application from 4.1.4 to the latest version (7.x.x) when the vulnerability was discovered, XSS will no longer exist.
Facebook says the CVE-2019-18426 vulnerability affects WhatsApp desktop clients before 0.3.9309 and iPhone clients before 2.20.10.
For more information about the vulnerability, move to The Perimeter Weizman’s X blog post.