A security researcher has uncovered a vulnerability that could have allowed attackers access to your files on your PC.
PerimeterX researcher Gal Weizman uncovered this vulnerability that has been tracked as CVE-2019-18426. The vulnerability has been fixed now and affected WhatsApp desktop application on Windows or Mac computers. Some of the flaws also affected the WhatsApp Web client for the web.
Weizman revealed that the web version of WhatsApp was vulnerable to an open-redirection flaw that led to persistent cross-site scripting attacks. This could have been triggered just by sending specially crafted messages to the victim. When the victim views the malicious message over the browser, it could execute arbitrary code in WhatsApp’s web domain.
If the same message was seen on vulnerable desktop application, the malicious code runs on the system.
The misconfigured content security policy on the WhatsApp web domain allowed him to load XSS payloads of any length using an iframe. The open-redirect flaw could have been used to
“If the CSP rules were well configured, the power gained by this XSS would have been much smaller. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more,” the researcher said in the blog post.
The desktop application of WhatsApp is written using Electron which lets you create “native” applications using standard web features. So, the XSS worked on the WhatsApp desktop app. This could allow the fetch API access and the attacker could read the local file.
Facebook has now patched the flaw and also rewarded Weizman with a $12,500 bug bounty for these findings.
