WhatsApp client flaw allows hackers to read files stored on any device
A critical security issue has been uncovered in WhatsApp, one that could allow a hacker to read files stored on a user's device if the Facebook-owned messaging app isn't updated with the latest patch.
Stemming from research about a security flaw found in 2017 where an attacker could change the text of a person's reply within WhatsApp, work by security researcher Gal Weizman of Perimeter X uncovered a number of other security issues. Depending on the particular flaw, Weizman was capable of performing persistent cross-site scripting (XSS) within WhatsApp, as well as being able to read the local file system of a recipient by sending a single message.
The flaws were found to work on the desktop version of WhatsApp for macOS and Windows, which are typically paired to a mobile version, such as the iPhone app.
In their work, Weizman found issues within WhatsApp's Content Security Policy that opened the door to abuse, with the flaws allowing an escalation of severity. On the low end this included manipulating the WhatsApp banner, which appears for messages that include extra information like a link to a website, with tampering of the message enabling it to appear to be linking to Facebook but in reality could include a malicious website URL.
Further abuse of the CSP allowed for XSS to be performed, but while this would be normally damaging to an app, performing the banner manipulation on the desktop version of the app enabled the attacker to find out information about the victim's computer, and to read local files. At this point, it was found the Electron-based webapp was using Chromium version 69 in Electron 4.1.4, an older version that included vulnerabilities enabling the XSS attacks to occur.
The use of Chromium 69 is also an issue, as there are multiple remote code execution attacks possible for that release, and a few others. Weizman further suggested if WhatsApp simply updated their Electron web application from 4.1.4 to a much newer version, "this XSS would never have existed."
Facebook updated the desktop and iPhone app in late January to fix the issues. Electron is at the core of messaging and collaboration platforms Slack and Discord, but it is not clear if those platforms have been impacted, or have been patched.
The revelation of the relatively embarrassing flaws in the WhatsApp desktop client are an issue for Facebook given the scrutiny the company is currently facing in the wake of the hacking of Amazon CEO Jeff Bezos' iPhone. Saudi crown prince Mohammed bin Salman was implicated in the hack, which led to the leaking of compromising information about Bezos to a newspaper in 2018, as it allegedly involved a malformed video sent from the prince's WhatsApp account.
Shortly after the claims were made, Facebook head of global affairs and former UK deputy prime minister Sir Nick Clegg insisted the app was secure. In an interview with the BBC, Clegg insisted WhatsApp's encrypted messages could "not be hacked into" and that it couldn't have been any change to the message in transit -- which is apparently not the case. Exploitation of this WhatsApp client flaw could have easily led to the Bezos hack.
Security researchers were quick to point out that end-to-end encryption wouldn't matter if the message itself is hazardous to open.
Stemming from research about a security flaw found in 2017 where an attacker could change the text of a person's reply within WhatsApp, work by security researcher Gal Weizman of Perimeter X uncovered a number of other security issues. Depending on the particular flaw, Weizman was capable of performing persistent cross-site scripting (XSS) within WhatsApp, as well as being able to read the local file system of a recipient by sending a single message.
The flaws were found to work on the desktop version of WhatsApp for macOS and Windows, which are typically paired to a mobile version, such as the iPhone app.
In their work, Weizman found issues within WhatsApp's Content Security Policy that opened the door to abuse, with the flaws allowing an escalation of severity. On the low end this included manipulating the WhatsApp banner, which appears for messages that include extra information like a link to a website, with tampering of the message enabling it to appear to be linking to Facebook but in reality could include a malicious website URL.
Further abuse of the CSP allowed for XSS to be performed, but while this would be normally damaging to an app, performing the banner manipulation on the desktop version of the app enabled the attacker to find out information about the victim's computer, and to read local files. At this point, it was found the Electron-based webapp was using Chromium version 69 in Electron 4.1.4, an older version that included vulnerabilities enabling the XSS attacks to occur.
The use of Chromium 69 is also an issue, as there are multiple remote code execution attacks possible for that release, and a few others. Weizman further suggested if WhatsApp simply updated their Electron web application from 4.1.4 to a much newer version, "this XSS would never have existed."
Facebook updated the desktop and iPhone app in late January to fix the issues. Electron is at the core of messaging and collaboration platforms Slack and Discord, but it is not clear if those platforms have been impacted, or have been patched.
The revelation of the relatively embarrassing flaws in the WhatsApp desktop client are an issue for Facebook given the scrutiny the company is currently facing in the wake of the hacking of Amazon CEO Jeff Bezos' iPhone. Saudi crown prince Mohammed bin Salman was implicated in the hack, which led to the leaking of compromising information about Bezos to a newspaper in 2018, as it allegedly involved a malformed video sent from the prince's WhatsApp account.
Shortly after the claims were made, Facebook head of global affairs and former UK deputy prime minister Sir Nick Clegg insisted the app was secure. In an interview with the BBC, Clegg insisted WhatsApp's encrypted messages could "not be hacked into" and that it couldn't have been any change to the message in transit -- which is apparently not the case. Exploitation of this WhatsApp client flaw could have easily led to the Bezos hack.
Security researchers were quick to point out that end-to-end encryption wouldn't matter if the message itself is hazardous to open.
Comments
Still elevated rights are needed to do more than local damage.
That line?
The message is encrypted between the sender and the recipient, but then it gets decrypted on the recipient's device and can "go off". There's no way for an intermediary to insert content or protect the end user.
I never used it. I never will. This isn’t even the start of why, but it’s definitely added motivation to resist the peer pressure of other people saying that I should use it just because they do.
You would miss a lot in Europe (Germany, France, Spain, Netherland, Belgium, Italy...). All groups are on WhatsApp or fb messenger. I would never install messenger but WhatsApp is just too popular here.