WhatsApp Desktop patches major security vulnerability

WhatsApp
(Image credit: Shutterstock)

UPDATE: A WhatsApp spokesperson has reached out to TechRadar Pro with the following statement saying that the issue has now been fixed:

“We regularly work with leading security researchers to stay ahead of potential threats to our users. In this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop. The bug was promptly fixed and has been applied since mid December.”

A cybersecurity researcher has discovered multiple security vulnerabilities in WhatsApp, revealing that one of the most widely used messaging apps is not as safe as once thought.

PerimeterX's Gal Weizman used his JavaScript expertise to find multiple vulnerabilities in the popular messaging app that could leave users at risk of attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links which point to malicious destinations.

The vulnerabilities found in the WhatsApp desktop app can be used to aid phishing campaigns, spread malware and potentially even ransomware to put millions of users at risk as the messaging service currently has over 1.5bn monthly active users.

Modifying messages

By finding a gap in the Content Security Policy (CSP) used by WhatsApp, Weizman was able to enable bypasses as well as cross site scripting (XSS) on the messaging service's desktop app. This allowed him to gain read permissions from the local file system on both the Mac and Windows desktop apps.

By exploiting these flaws, hackers could target unsuspecting users with harmful code or links injected into their messages. To make matters worse, these message notifications would be completely invisible to the untrained eye. These kinds of attacks are made possible by simply modifying the JavaScript code of a single message before it is delivered to its recipient.

Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue to send these messages as it normally does. This bypassed filters and sent the modified message through the app as usual where it appeared relatively normal in the user interface. Weizman even discovered that website previews, which are displayed when users share web links, can also be tampered with before being shown.

To prevent falling victim to this kind of attack, WhatsApp users should look for text that might appear more like a piece of code than like legitimate text. Also a malicious message can only work if it contains the text “javascript”, so users should look out for this as well if code is visible. Finally users should exercise caution and avoid opening any links sent by unknown accounts.

Interested users that want to learn more about Weizman's discovery can check out his blog post on Perimeter X's website.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.