Security researcher Gal Weizman from PerimeterX disclosed technical details of a number of dangerous vulnerabilities (united under the common identifier CVE-2019-18426) found in the desktop version of the WhatsApp messenger.Using these vulnerabilities, attackers could remotely steal files from computers running Windows or macOS.
“I really wanted to find a major security flaw in a well-known and widely used service, and I felt like WhatsApp was a good start. So I gave it a go since I already had some clue of existing security flaws in WhatsApp mobile and web applications. I managed to find four more unique security flaws in WhatsApp which led me all the way to persistent XSS and even reading from the local file system – by using a single message”, — writes Gal Weizman.
In particular, the specialist discovered a potentially dangerous vulnerability such as Open Redirect, which allows conducting an XSS attack by sending a specially crafted message. If the victim sees a malicious message, the attacker can execute arbitrary code in the context of the WhatsApp domain.
Another problem was the incorrectly configured Content Security Policy (CSP) on the WhatsApp web-domain, which allows downloading useful XSS-loads using iframes from a site controlled by an attacker.
“If the CSP rules were correctly configured, the impact of the XSS attack smaller. The ability to bypass the CSP configuration allowed an attacker to steal valuable victim information, easily load external payloads, and much more”, – noted the expert.
Weizmann demonstrated a remote file attack via WhatsApp, gaining access to the contents of the hosts file from the victim’s computer. According to the researcher, the open redirect vulnerability could also be used to manipulate URL banners – a preview of the domain that WhatsApp displays to recipients when they receive a message containing links.
“It is 2020, no product should be allowing a full read from the file system and potentially a RCE from a single message”, – summed up Gal Weizman.
Weizmann announced in Facebook his discovery, and the company released a revised desktop version of the messenger.
What a dumb thing is WhatsApp, only I recently wrote that attacker in a WhatsApp group chat could disable messengers of other participants. However, the Internet and real world are quite dangerous too.