Critical WhatsApp Vulnerability Exposed Local Files

Facebook has fixed a critical vulnerability in WhatsApp that allowed attackers to read files from the local file system on both macOS and Windows. The issue was present in WhatsApp Desktop and could be exploited when paired with WhatsApp for iPhone.

How the Vulnerability Worked

The vulnerability was an XSS (Cross-Site Scripting) flaw in WhatsApp Desktop. To exploit it, an attacker needed to interact with the victim by convincing them to click on a specially crafted link preview sent in a message. Once clicked, the attacker could access files from the victim’s local system.

This issue affected all versions of WhatsApp Desktop older than 0.3.9309 when paired with any version of WhatsApp for iPhone newer than 2.20.10. The vulnerability was discovered by security experts at PerimeterX, assigned the identifier CVE-2019-18426, and received a CVSS3 score of 8.2.

Technical Details

A researcher from PerimeterX found that it was possible to gain read access to files on both Windows and macOS by exploiting an XSS bug in WhatsApp’s Content Security Policy. The researcher demonstrated the use of the fetch() API to read files from the local operating system, such as the contents of C:\Windows\System32\drivers\etc\hosts.

Attack Method and User Impact

According to the researchers, these message modifications would be completely invisible to the average user. Attacks could be carried out by simply modifying the JavaScript code of a message before it was delivered to the recipient.

Sources and Further Reading

• For more updates, follow our other channels and partners.