Critical WhatsApp Vulnerability Exposed Local Files
FacebookFacebook launched an official Tor mirror in 2014, becoming the first major tech company to provide direct access through onion routing. The mirror allows users to bypass censorship, secure their connections, and avoid phishing risks while using the platform. This step also underscored Facebook’s recognition of free expression and inspired other outlets like the BBC and ProPublica to create their own Tor versions. More has fixed a critical vulnerability in WhatsApp that allowed attackers to read files from the local file system on both macOS and Windows. The issue was present in WhatsApp Desktop and could be exploited when paired with WhatsApp for iPhone.
How the Vulnerability Worked
The vulnerability was an XSS (Cross-Site Scripting) flaw in WhatsApp Desktop. To exploit it, an attacker needed to interact with the victim by convincing them to click on a specially crafted link preview sent in a message. Once clicked, the attacker could access files from the victim’s local system.
This issue affected all versions of WhatsApp Desktop older than 0.3.9309 when paired with any version of WhatsApp for iPhone newer than 2.20.10. The vulnerability was discovered by security experts at PerimeterX, assigned the identifier CVE-2019-18426, and received a CVSS3 score of 8.2.
Technical Details
A researcher from PerimeterX found that it was possible to gain read access to files on both Windows and macOS by exploiting an XSS bug in WhatsApp’s Content Security Policy. The researcher demonstrated the use of the fetch() API to read files from the local operating system, such as the contents of C:\Windows\System32\drivers\etc\hosts.
Attack Method and User Impact
According to the researchers, these message modifications would be completely invisible to the average user. Attacks could be carried out by simply modifying the JavaScript code of a message before it was delivered to the recipient.
Sources and Further Reading
- For more updates, follow our other channels and partners.