We do not have to introduce anything about WhatsApp as it is the most popular and widely used social media app. But what if we tell you that Whatsapp has some serious security flaws which researchers have found earlier.
Researcher Detects Multiple Security Flaws in WhatsApp
- A researcher has found flaws in WhatsApp and informed it to the tech giant Facebook to fix all the flaws.
A few months ago reports were saying that security researchers have warned the Whatsapp users against the flaws which allow the cybercriminals to cause a group chat to crash using the destructive app-killing message and delete the whole group chat history.
Recently, a researcher decided to conduct a search operation focusing on popular messaging app WhatsApp. He got some clue of existing security flaws in Whatsapp.
Researchers have discovered a critical vulnerability which can allow the hackers to access files from the Windows or Mac computer remotely. The bug which was fixed by Facebook could be used using the Whatsapp desktop app. It was a mix of few severity flaws which was there in Whatsapp desktop app. Some of those bugs were already there a part of Whatsapp Web client which works on Web browsers. The vulnerability basically allowed for cross-site scripting (XSS) which is used by remote attackers.
The researcher PerimeterX researcher Gal Weizman said the WhatsApp bug is tracked as CVE-2019-18426. They also noted that the security flaw existed within the Content Security Policy (CSP) of Whatsapp, which allowed for XSS attacks on the desktop app.
In a blog post, the researcher mentioned that the Web client was vulnerable to an open redirect flaw which can have begun to persistent cross-site scripting attacks which are triggered by sending crafted messages to Whatsapp users.
The scope of the loophole is found quite wider on the Whatsapp desktop app. The researcher said that he read the file system and identify the remote code execution (RCE) potential on the desktop app. Only one thing affected Whatsapp users that they had to click on the specially crafted message to provide backdoor access to hackers.
Weizman said in the post, “For some reason, the CSP rules were not an issue with the Electron-based app, so fetching an external payload using a simple JavaScript resource worked.”