WhatsApp desktop app vulnerabilities led to remote file access, code execution

In brief: Facebook has patched a critical security flaw in WhatsApp’s desktop platform that could have allowed an attacker to read files from the local file system on Windows and Mac and even pull off remote code execution.

The vulnerability, which carries a severity rating of 8.2 according to the National Institute of Standards and Technology, was discovered by security researcher Gal Weizman with PerimeterX.

Its origins date back to 2017 when he uncovered the ability to alter the text of someone else’s reply. From there, Weizman realized he could craft authentic-looking messages with rich media that redirected the target to a destination of his choosing. Parlaying his success even further, the security researcher was able to use JavaScript to gain a one-click persistent XSS.

WhatsApp desktop app vulnerabilities led to remote file access, code execution 1

Weizman pressed on and was eventually able to enhance the power of the persistent XSS by bypassing WhatsApp’s CPS rules. The coup de grâce was realizing that remote code execution was also possible.

After a bit of digging, the researcher realized that it all worked because the versions of the GB WhatsApp download desktop applications being offered up by Facebook were based on Chrome 69, an outdated version of Google’s browser.

This vulnerability was found when Chrome/78 was the stable version! A few versions before Chrome/78, the ability to use the javascript: trick was patched, and if WhatsApp would have updated their Electron web application from 4.1.4 to the latest which was 7.x.x at the time this vulnerability was found(!) – this XSS would never have existed!

Facebook said the vulnerability, CVE-2019-18426, affects WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.

Weizman’s responsible disclosure of the vulnerability can be found in his PerimeterX blog post.

Masthead credit: WhatsApp by Ink Drop

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Cryptosoft Trading Bot Review
June 27, 2022
The Largest Crypto Scams Of 2022 (So Far)
The Largest Crypto Scams Of 2022 (So Far)
June 14, 2022
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin20,726 0.26 % 2.49 % 1.02 %
Ethereum1,186.1 0.29 % 2.99 % 5.36 %
Tether1.001 0.09 % 0.00 % 0.07 %
USD Coin1.001 0.13 % 0.05 % 0.25 %
BNB233.74 0.35 % 1.64 % 8.83 %
Binance USD1.001 0.21 % 0.06 % 0.08 %
XRP0.3532 0.18 % 2.81 % 8.46 %
Cardano0.4850 0.95 % 3.81 % 0.24 %
Solana38.42 0.84 % 4.60 % 12.36 %
Dogecoin0.07212 0.63 % 2.04 % 19.09 %

Bitcoin (BTC) $ 20,777.00
Ethereum (ETH) $ 1,191.31
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 234.85
Binance USD (BUSD) $ 1.00
XRP (XRP) $ 0.353913
Cardano (ADA) $ 0.48855
Solana (SOL) $ 38.76
Dogecoin (DOGE) $ 0.072422