WhatsApp patched a security loophole in its desktop apps last month that could have potentially allowed hackers to access your computer’s local files. Discovered by a cybersecurity researcher at PerimeterX, the vulnerability affected the messaging service’s Windows and Mac clients when they were paired with an iPhone.
The flaw was found inside WhatsApp’s Content Security Policy, an extra security layer companies often employ to prevent a certain set of attacks and made possible for malicious actors to manipulate messages and links through a method called Cross-Site Scripting.
When a user would tap on one of these adulterated texts, they would unknowingly grant the attacker permissions to read their computer’s local files, as well as to inject malicious codes. While the vulnerability did require interaction from the user to function, it was possible to execute it remotely.
“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” parent company Facebook wrote in a security advisory.
The bug affects WhatsApp Desktop builds prior to v0.3.9309 and WhatsApp for iPhone versions prior to 2.20.10. It was fixed on 21st January 2020. Therefore, to ensure you’re safe, go ahead and update the WhatsApp app on your computer and iPhone.
“Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities,” explained PerimeterX’s founder and CTO, Ido Safruti.
The vulnerability doesn’t impact Android because unlike iOS, it has additional protections in place against Javascript banners. “iOS omitted this check, which enabled banners with malicious content to load on iOS devices,” added a PerimeterX spokesperson.
In the last year, WhatsApp has had a hard time keeping security vulnerabilities out. In November, the Facebook-owned messaging giant patched a flaw that could have let hackers take control of a phone with just an MP4 file. A few weeks back, it was found that that same bug also compromised Amazon’s Jeff Bezos’ phone and sensitive data. Telegram’s CEO later, in a scathing blog post, accused WhatsApp of deliberately planting backdoors for law enforcement agencies and masking them as bugs when caught.