14 DAY TRIAL // Security vulnerabilities discovered in the desktop client of WhatsApp expose users to phishing, malware, and ransomware, according to recent research.
PerimeterX cybersecurity researcher and JavaScript expert Gal Weizman says he discovered a flaw in the Content Security Policy (CSP) bundled with WhatsApp, which makes it possible for malicious actors to launch bypass and cross site scripting (XSS) attacks on the desktop client.
Both Windows and Mac are affected, and the researcher says that cybercriminals could obtain read permissions from the local file system by simply injecting malicious code or links into messages sent to WhatsApp users without this content to be visible.
This is possible following JavaScript code modifications made to WhatsApp messages before they are sent to the target – technically, the researcher says the vulnerabilities allow for anyone to inject the malicious code and then send the modified message without any clear sign of tampering.
Old Chrome version
Furthermore, the researcher explains, a hacker can also modify the website previews that are automatically generated when sending a link to someone on WhatsApp, once again to inject code that wouldn’t be visible when the message is received.
The desktop client of WhatsApp was running on an old version of Chrome – according to the research, the app was based on Chrome 69 at a time when the latest stable version of the browser was Chrome 78. The latest versions of Chrome already include changes that block such attacks.
“Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities,” PerimeterX notes.
WhatsApp has already resolved the issues with a dedicated patch in mid-December, according to the Facebook-owned company.