WhatsApp flaw gave attackers access to local files
Does WhatsApp have a lot of vulnerabilities or are there simply a lot of people looking for them?
Ask PerimeterX researcher Gal Weizman, who last year set about poking the world’s most popular messaging platform to see whether he could turn up any new weaknesses.
Sure enough, this week we learned that he uncovered a clutch of vulnerabilities that led him to a tasty cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone.
Patched this week as CVE-2019-18426, it’s the sort of weakness iPhone WhatsApp desktop users will be glad to see the back of.
The immediate problem was caused by a gap in WhatsApp’s Content Security Policy (CSP), a security layer used to protect against common types of attack, including XSS.
According to Weizman, this is probably remotely exploitable although the users would still need to click on the link for an attack to succeed.
However, it could also be used to gain read permission to the local file system, that is the ability to access and open files and, potentially, for remote code execution (RCE).