Last Updated on , By
 In AppSealing Blog, AppSealing News

It is very convenient to access WhatsApp using your desktop or laptop but before you do so, ensure that you have the latest version of the application. Gal Weizman, a researcher at California-based PerimeterX, found a major flaw in the desktop platform that allowed hackers to remotely access your computer via just a code-injected message.

Once such a message is opened, attackers gain access to not only your account but files on the computer as well. If your application is not updated to the latest version (0.4.612.0), you must avoid opening messages from any unknown sources at any cost.

Weizman discovered that rich preview banners could be made to appear easily, a flaw that hackers could use to entice users to click malicious links masked with a familiar preview picture. It does not end there: Users with browsers that do not automatically block JavaScript redirect attempts face far more serious threats.

Weizman found that he could exploit the platform’s vulnerability by crafting a cross-site scripting attack that would mask automatic redirects to malicious websites using familiar preview banners. If the browser or antivirus fails to detect and halt the redirect, the user can invite a lot of trouble by just opening the malicious message. This could allow attackers to gain reading permission, which, in turn, gives them access to the target’s local files.

This flaw can be traced back to the time WhatsApp desktop was introduced in 2016 and is still present in outdated versions of the application. However, it is unknown if any hackers took advantage of this flaw before Weizman discovered it.

Experts believe that the best way to keep attackers at bay is to update to the latest version of the desktop application. Using an antivirus or the latest version of Google Chrome that inspects JavaScript links before loading provides users a safety net even if the message is opened. The mobile application seems to be unaffected by this threat.

PerimeterX suggests that at the organizational level, there must be a configuring content security policy to avert any cross-site scripting attacks. It is also vital to update anything operating on the outdated Chromium, as researches have shown that the roots of the bug can be traced back to Google’s Chromium framework.

This desktop flaw reopens the debate about whether WhatsApp is entirely safe. The developers of the Facebook-owned application say that they do not store any messages or recordings on their servers and use end-to-end encryption, making it virtually impossible even for them to monitor users’ messages. But, last year, hackers managed to break into the walls by using the sophisticated Pegasus spyware. It is believed that the spyware was used by the Indian government, among others, to monitor officials, journalists, and activists in the run-up to the 2019 General Election.

But, despite these vulnerabilities, WhatsApp still is considered one of the safest messaging applications when it comes to data privacy. However, it is only a matter of time that another bug surfaces, causing more jitters.

Govindraj Basatwar
Govindraj Basatwar
Govindraj is a Global Sales Head for AppSealing at INKA Entworks. He keenly follows the innovation and development in cybersecurity, IT, content and application security, and software development, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world. His views on industry trends and best practices have been featured in articles, white papers, and had been a keynote guest at multiple security events.

Leave a Comment