Several high severity vulnerabilities were discovered in WhatsApp which when exploited, could have allowed remote attackers to compromise the security of billions of users in different ways.
The cybersecurity researcher at PerimeterX, Gal Weizman, who found the vulnerabilities disclosed the technical details of the flaws. All the vulnerabilities when combined together could have enabled hackers to remotely steal files from the Windows or Mac computer of a victim using the WhatsApp desktop app by simply sending a specially crafted message.
The vulnerabilities have been dubbed CVE-2019-18426, and they reside in WhatsApp Web, which is the browser version of the messaging application.
Weizman in a blog post revealed that WhatsApp Web was vulnerable to a potentially dangerous open-redirect flaw that led to persistent cross-site scripting attacks, which could have been triggered by sending a specially crafted message to the targeted WhatsApp users.
When an unsuspecting victim views the malicious message over the browser, the flaw could have allowed attackers to execute arbitrary code in the context of WhatsApp’s web domain.
When it is viewed through the vulnerable desktop application, the malicious code runs on the recipients’ systems in the context of the vulnerable application.
Also, the misconfigured content security policy on the WhatsApp web domain allowed the researcher to load XSS payloads of any length using an iframe from a separate attacker-controlled website on the Internet.
The researcher stated that if the CSP rules were well configured, the power gained by this XSS would have been much smaller. An attacker could bypass the CSP configuration to steal valuable information from the victim, load external payloads easily, and much more.
Weizman demonstrated the remote file read attack over WhatsApp by accessing the content of the hosts file from a victim’s computer.
The open-redirect flaw could have also been used to manipulate URL banners, a preview of the domain WhatsApp displays to the recipients when they receive a message containing links, and trick users into falling for phishing attacks.
The researcher reported these issues to the Facebook security team last year, who has patched the flaws, and released an updated version of its desktop application. Weizman was also rewarded with a bug bounty of $12,500.