Modern communication revolves around the internet and the digital age, allowing people to communicate instantaneously no matter where they are in the world. There are many messaging applications that have come along through the years, but one of the most popular ones used today is WhatsApp. However, security researchers at PerimeterX recently found a vulnerability in WhatsApp that could allow Remote Code Execution (RCE) and the ability to remotely view files on a target system.
WhatsApp, now owned by Facebook, is one of the most popular messaging apps in the world. The desktop platform alone has over 1.5 billion monthly active users. WhatsApp is known for its end-to-end encryption of messages, making it popular among political dissidents in countries where such activities could be severely punished, as well as among criminal groups and privacy enthusiasts.
The vulnerability, CVE-2019-18426, is related to the app’s use of JavaScript and was discovered by PerimeterX cybersecurity researcher Gal Weizman. An attacker can modify both links and website previews in messages to appear legitimate through code manipulation of the JavaScript, while also redirecting the victim to malicious sites or downloads. This Cross-Site Scripting (XSS) attack can inject malicious links into messages that appear to be coming from friends of the target. The payload of these malicious links could be malware that allows an attacker to remotely execute code on the target’s machine for a variety of purposes. The XSS vulnerability stems from a gap in the Content Security Policy (CSP) used by WhatsApp, which also leads to an attacker being able to gain read permissions on the local file system for both Mac and Windows desktop apps.
The vulnerability has been patched in desktop version 0.3.9309 and newer. Also, newer versions of Chrome protect against these types of JavaScript modifications, but other browsers such as Safari do not. Always ensure that your browsers and apps are up to date with the latest patches to ensure maximum protection on the technical side. User training to always be suspicious, especially of links, can also go a long way towards protecting organizations from these types of attacks.
Sources: