WhatsApp desktop app vulnerabilities led to remote file access, code execution

In brief: Facebook has patched a critical security flaw in WhatsApp’s desktop platform that could have allowed an attacker to read files from the local file system on Windows and Mac and even pull off remote code execution.

The vulnerability, which carries a severity rating of 8.2 according to the National Institute of Standards and Technology, was discovered by security researcher Gal Weizman with PerimeterX.

Its origins date back to 2017 when he uncovered the ability to alter the text of someone else’s reply. From there, Weizman realized he could craft authentic-looking messages with rich media that redirected the target to a destination of his choosing. Parlaying his success even further, the security researcher was able to use JavaScript to gain a one-click persistent XSS.

WhatsApp desktop app vulnerabilities led to remote file access, code execution 1

Weizman pressed on and was eventually able to enhance the power of the persistent XSS by bypassing WhatsApp’s CPS rules. The coup de grâce was realizing that remote code execution was also possible.

Coinbase 3

After a bit of digging, the researcher realized that it all worked because the versions of the WhatsApp desktop applications being offered up by Facebook were based on Chrome 69, an outdated version of Google’s browser.

This vulnerability was found when Chrome/78 was the stable version! A few versions before Chrome/78, the ability to use the javascript: trick was patched, and if WhatsApp would have updated their Electron web application from 4.1.4 to the latest which was 7.x.x at the time this vulnerability was found(!) – this XSS would never have existed!

Facebook said the vulnerability, CVE-2019-18426, affects WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.

Weizman’s responsible disclosure of the vulnerability can be found in his PerimeterX blog post.

Masthead credit: WhatsApp by Ink Drop

WhatsApp desktop app vulnerabilities led to remote file access, code execution 2
blank
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

blank

E-Crypto News Executive Interviews


blank

bitcoin
Bitcoin (BTC) $ 41,603.00
ethereum
Ethereum (ETH) $ 2,463.23
tether
Tether (USDT) $ 0.998285
binance-coin
Binance Coin (BNB) $ 333.12
cardano
Cardano (ADA) $ 1.31
xrp
XRP (XRP) $ 0.752829
dogecoin
Dogecoin (DOGE) $ 0.210436
usd-coin
USD Coin (USDC) $ 0.999681
polkadot
Polkadot (DOT) $ 16.41
binance-usd
Binance USD (BUSD) $ 0.999884
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 41,603.00
ethereumEthereum (ETH)
$ 2,463.23
tetherTether (USDT)
$ 0.998285
bitcoin-cashBitcoin Cash (BCH)
$ 544.95
litecoinLitecoin (LTC)
$ 143.76
bitcoinBitcoin (BTC)
35.041,17
ethereumEthereum (ETH)
2.074,72
tetherTether (USDT)
0,840830
bitcoin-cashBitcoin Cash (BCH)
459,00
litecoinLitecoin (LTC)
121,09
bitcoinBitcoin (BTC)
29,800.02
ethereumEthereum (ETH)
1,764.40
tetherTether (USDT)
0.715067
bitcoin-cashBitcoin Cash (BCH)
390.34
litecoinLitecoin (LTC)
102.97

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Hacks and Scam
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
blank
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020

Blockchain/Cryptocurrency Questions and Answers

Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021
blank
What Is Plethori Platform And How Does It Work?
June 12, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin41,575 0.44 % 7.29 % 24.27 %
Ethereum2,456.9 0.35 % 4.99 % 16.05 %
Tether1.000 0.21 % 0.05 % 0.20 %
Binance Coin332.16 0.23 % 7.32 % 11.60 %
Cardano1.310 0.78 % 3.82 % 8.75 %
XRP0.7517 0.17 % 4.07 % 23.34 %
Dogecoin0.2095 0.70 % 4.34 % 8.18 %
USD Coin0.9992 0.13 % 0.05 % 0.16 %
Polkadot16.31 0.80 % 11.31 % 22.15 %
Binance USD0.9984 0.18 % 0.05 % 0.56 %

bitcoin
Bitcoin (BTC) $ 41,209.00
ethereum
Ethereum (ETH) $ 2,441.19
tether
Tether (USDT) $ 0.999312
binance-coin
Binance Coin (BNB) $ 327.79
cardano
Cardano (ADA) $ 1.30
xrp
XRP (XRP) $ 0.740199
usd-coin
USD Coin (USDC) $ 0.999534
dogecoin
Dogecoin (DOGE) $ 0.206870
polkadot
Polkadot (DOT) $ 16.28
binance-usd
Binance USD (BUSD) $ 0.999094