WhatsApp desktop app vulnerabilities led to remote file access, code execution

In brief: Facebook has patched a critical security flaw in WhatsApp’s desktop platform that could have allowed an attacker to read files from the local file system on Windows and Mac and even pull off remote code execution.

The vulnerability, which carries a severity rating of 8.2 according to the National Institute of Standards and Technology, was discovered by security researcher Gal Weizman with PerimeterX.

Its origins date back to 2017 when he uncovered the ability to alter the text of someone else’s reply. From there, Weizman realized he could craft authentic-looking messages with rich media that redirected the target to a destination of his choosing. Parlaying his success even further, the security researcher was able to use JavaScript to gain a one-click persistent XSS.

WhatsApp desktop app vulnerabilities led to remote file access, code execution 1

Weizman pressed on and was eventually able to enhance the power of the persistent XSS by bypassing WhatsApp’s CPS rules. The coup de grâce was realizing that remote code execution was also possible.

After a bit of digging, the researcher realized that it all worked because the versions of the WhatsApp desktop applications being offered up by Facebook were based on Chrome 69, an outdated version of Google’s browser.

This vulnerability was found when Chrome/78 was the stable version! A few versions before Chrome/78, the ability to use the javascript: trick was patched, and if WhatsApp would have updated their Electron web application from 4.1.4 to the latest which was 7.x.x at the time this vulnerability was found(!) – this XSS would never have existed!

Facebook said the vulnerability, CVE-2019-18426, affects WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.

Weizman’s responsible disclosure of the vulnerability can be found in his PerimeterX blog post.

Masthead credit: WhatsApp by Ink Drop

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin54,387 0.07 % 1.27 % 9.48 %
Ethereum4,085.6 0.03 % 1.52 % 7.90 %
Binance Coin594.05 0.26 % 2.79 % 1.90 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana189.52 0.26 % 4.54 % 13.20 %
Cardano1.500 0.40 % 4.44 % 22.11 %
XRP0.9235 0.81 % 3.47 % 16.07 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

Bitcoin (BTC) $ 54,301.00
Ethereum (ETH) $ 4,088.18
Binance Coin (BNB) $ 596.04
Tether (USDT) $ 1.00
Solana (SOL) $ 190.16
Cardano (ADA) $ 1.50
XRP (XRP) $ 0.92763
USD Coin (USDC) $ 1.00
Polkadot (DOT) $ 33.63
Dogecoin (DOGE) $ 0.200286