Discovered by PerimeterX cybersecurity researcher, Gal Weizman, the vulnerability dubbed as ‘CVE-2019-18426’ resided in WhatsApp Web, which also powers its Electron-based cross-platform apps for desktop operating systems. According to Weizman, the flaw could allow hackers to insert malicious JavaScript codes into messages and remotely access files through the outdated WhatsApp client. “A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” reads the description of the WhatsApp vulnerability provided in the U.S. National Vulnerability Data (NVD). In his blog post, Weizman mentioned that WhatsApp Web was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to targeted WhatsApp users. Weizman discovered a loophole in WhatsApp’s Content Security Policy (CSP), which basically allowed for cross-site scripting (XSS) on the desktop application. He was able to read the local file system of a recipient by sending a single message and identify the remote code execution (RCE) potential on the desktop application. The only thing that the affected WhatsApp user had to do was to view the malicious message over the browser. This would have given backdoor access to remote attackers to execute arbitrary code in the context of WhatsApp’s web domain. “For some reason, the CSP rules were not an issue with the Electron-based app, so fetching an external payload using a simple JavaScript resource worked,” Weizman stated. “CSP rules are super important and could have prevented a big part of this mess. If the CSP rules were well configured, the power gained by this XSS would have been much smaller. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more.” According to Weizman, WhatsApp should not use older version of Google’s Chromium-browser platform to avoid such flaws. “Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities,” PerimeterX notes. The vulnerability was patched by Facebook last year after receiving an alert from Weizman. Speaking about the vulnerability, a WhatsApp spokesperson said, “We regularly work with leading security researchers to stay ahead of potential threats to our users. In this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop. The bug was promptly fixed and has been applied since mid-December.” Since the company has fixed the flaw, it is recommended that users should update both their WhatsApp desktop app as well as the phone app on their Android or iOS device to avoid any issues.