Flaws in WhatsApp’s desktop app allowed remote access to files

by
Sean Gallagher
from Ars Technica - All content on (#4YYGR)
GettyImages-1197943329-800x534.jpg

Enlarge / Facebook has patched a WhatsApp bug that would let someone read files off your desktop. (credit: NurPhoto/Getty Images)

Facebook has issued a security advisory for a flaw in WhatsApp Desktop that could allow an attacker to use cross-site scripting attacks and read the files on MacOS or Windows PCs by using a specially crafted text message. The attacker could retrieve the contents of files on the computer on the other end of a WhatsApp text message and potentially do other illicit things.

The flaw, discovered by researcher Gal Weizman at PerimeterX, is a result of a weakness in how WhatsApp's desktop was implemented using the Electron software framework, which has had significant security issues of its own in the past. Electron allows developers to create cross-platform applications based on Web and browser technologies but is only as secure as the components developers deploy with their Electron apps.

Weizman first found cross-site scripting vulnerabilities in WhatsApp in 2017, when he found he could tamper with the metadata of messages, craft bogus preview banners for Web links, and create URLs that could conceal hostile intent within WhatsApp messages. But as he continued his explorations into the WhatsApp client, he found that he could inject JavaScript code into messages that would run within WhatsApp Desktop-and then gain access to the local file system using the JavaScript Fetch API.

Read 2 remaining paragraphs | Comments

index?i=3I_tjx6k4Q8:rL6IL4pJ84A:V_sGLiPB index?i=3I_tjx6k4Q8:rL6IL4pJ84A:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments