Using WhatsApp on Your Computer Could Put Your Files at Risk

Researchers have reported a vulnerability in WhatsApp desktop client for iPhones which puts victim's files—on their computers—at risk.

Researcher's found a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to infiltrate systems with loaded malware.

  • Hackers could enter through notification messages that appear completely normal to unsuspecting users.
  • Tracked as CVE-2019-18426, the cross-site scripting flaw could potentially allow an attacker to reach the local file system of user simply by sending a specially crafted message.
  • The flaw affected WhatsApp desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10.

How does it work?

The desktop platform of WhatsApp has more than 1.5 billion monthly active users.

  • The vulnerability appeared in the Windows and Mac versions of the app where it manages banners or previews of web links in messages.
  • The JavaScript code attached to a malicious banner could bypass protection mechanisms and access the local file system of the victim.
  • According to the researcher, the heart of the flaw lies in the Chromium browser engine in the application framework Electron.
  • WhatsApp relies on it to provide a user interface for its desktop client.
  • Though the cross-site scripting (XSS) bug was patched earlier sometime back in Chromium, WhatsApp used an older version of Electron for Chromium.

"Electron is a cool platform that lets you create 'native' applications using standard web features. This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on Chromium."