In AppSealing Blog

It is very convenient to access WhatsApp using your desktop or laptop but before you do so, ensure that you have the latest version of the application. Gal Weizman, a researcher at California-based PerimeterX, found a major flaw in the desktop platform that allowed hackers to remotely access your computer via just a code-injected message.

Once such a message is opened, attackers gain access to not only your account but files on the computer as well. If your application is not updated to the latest version (0.4.612.0), you must avoid opening messages from any unknown sources at any cost.

Weizman discovered that rich preview banners could be made to appear easily, a flaw that hackers could use to entice users to click malicious links masked with a familiar preview picture. It does not end there: Users with browsers that do not automatically block JavaScript redirect attempts face far more serious threats.

Weizman found that he could exploit the platform’s vulnerability by crafting a cross-site scripting attack that would mask automatic redirects to malicious websites using familiar preview banners. If the browser or antivirus fails to detect and halt the redirect, the user can invite a lot of trouble by just opening the malicious message. This could allow attackers to gain reading permission, which, in turn, gives them access to the target’s local files.

This flaw can be traced back to the time WhatsApp desktop was introduced in 2016 and is still present in outdated versions of the application. However, it is unknown if any hackers took advantage of this flaw before Weizman discovered it.

Experts believe that the best way to keep attackers at bay is to update to the latest version of the desktop application. Using an antivirus or the latest version of Google Chrome that inspects JavaScript links before loading provides users a safety net even if the message is opened. The mobile application seems to be unaffected by this threat.

PerimeterX suggests that at the organizational level, there must be a configuring content security policy to avert any cross-site scripting attacks. It is also vital to update anything operating on the outdated Chromium, as researches have shown that the roots of the bug can be traced back to Google’s Chromium framework.

This desktop flaw reopens the debate about whether WhatsApp is entirely safe. The developers of the Facebook-owned application say that they do not store any messages or recordings on their servers and use end-to-end encryption, making it virtually impossible even for them to monitor users’ messages. But, last year, hackers managed to break into the walls by using the sophisticated Pegasus spyware. It is believed that the spyware was used by the Indian government, among others, to monitor officials, journalists, and activists in the run-up to the 2019 General Election.

But, despite these vulnerabilities, WhatsApp still is considered one of the safest messaging applications when it comes to data privacy. However, it is only a matter of time that another bug surfaces, causing more jitters.

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.

Leave a Comment