Using WhatsApp on Your Computer Could Put Your Files at Risk
Researchers have reported a vulnerability in WhatsApp desktop client for iPhones which puts victim's files—on their computers—at risk.
- Hackers could enter through notification messages that appear completely normal to unsuspecting users.
- Tracked as CVE-2019-18426, the cross-site scripting flaw could potentially allow an attacker to reach the local file system of user simply by sending a specially crafted message.
- The flaw affected WhatsApp desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10.
How does it work?
The desktop platform of WhatsApp has more than 1.5 billion monthly active users.
- The vulnerability appeared in the Windows and Mac versions of the app where it manages banners or previews of web links in messages.
- According to the researcher, the heart of the flaw lies in the Chromium browser engine in the application framework Electron.
- WhatsApp relies on it to provide a user interface for its desktop client.
- Though the cross-site scripting (XSS) bug was patched earlier sometime back in Chromium, WhatsApp used an older version of Electron for Chromium.
"Electron is a cool platform that lets you create 'native' applications using standard web features. This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on Chromium."
If you have any queries,please do not hesitate to contact us: email@example.com