Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a user’s local file system, on both macOS and Windows platforms.
“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading,” Facebook’s security advisory explains. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
All WhatsApp Desktop versions before v0.3.9309 are affected by this issue when paired with WhatsApp for iPhone versions prior to 2.20.10.
The vulnerability tracked as CVE-2019-18426 received an 8.2 high severity CVSS 3.x base score, but, although it could be exploited remotely, it also required user interaction for exploit attempts to be successful.
The flaw was discovered by PerimeterX researcher Gal Weizman when he found a gap in WhatsApp’s Content Security Policy (CSP) that allowed for cross-site scripting (XSS) on the desktop app.
While investigating his discovery, Weizman was able to gain read permissions on the local file system on both Windows and macOS WhatsApp desktop apps.
The researcher says that “the theoretical concept is as follows: if you run an old version of a vulnerable app, one can exploit that vulnerability and do bad things to you.”
“I did however demonstrated how I use fetch() API, for example, to read files from the local OS like the content of C:\Windows\System32\drivers\etc\hosts file in this case,” Weizman added.
Before being patched by Facebook, the flaw could have enabled attackers to inject malicious code and links within messages sent to unsuspecting users, with the end goal of
“For reference, WhatsApp has over 1.5 billion monthly active users, so attacks could be executed on a large scale resulting in grave implications,” Safruti added.
Facebook previously fixed a WhatsApp bug that could be used to crash the app in a loop on the phones of a group’s members and another one that allowed attackers to modify or replace media files from a device’s external storage before the recipient could see them.
Yet another critical vulnerability in WhatsApp for Android and iOS that could crash the app when the user answered a call was patched in October 2018, while a flaw discovered by CheckPoint and used by Weizman as inspiration for his research that would allow message alteration in chats was fixed in August 2018.