Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim's MacOS or Windows PCs.
Tracked as CVE-2019-18426, Facebook says " a vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message".
According to the security researcher who discovered it, Gal Weizman at PerimeterX, the security bug is a result of weakness in how WhatsApp's desktop was implemented using the Electron software framework which had issues some time ago. Electron allow developers to create cross-platform applications based on Web and browser technologies.
The researcher said he found multiple issues in WhatsApp Desktop, starting with an open redirect into persistent XSS and Content Security Policy (CSP) bypass, and then a "cross platforms read from the local file system."
Also Read: Facebook Says It Has So Far Removed Over 5.4 Billion Fake Accounts This Year
Weizman explained that he could bypass WhatsApp's CSP to execute code on a target system using maliciously crafted messages. An attacker could modify WhatsApp reply messages to include quotes of messages the recipient never sent.
Usually, when a WhatsApp user sends a link to another user, WhatsApp display a banner generated from the link sent on the senders side. However, an attacker could alter the properties of the banner to create bogus preview banners for Web link and create URLs that could hide malicious intent within WhatsApp messages.
Still, the hacker could also inject JavaScript code into the message that would run within WhatsApp Desktop and then gain access to the local file system using the JavScript Ftech API.
The Desktop applications for Windows and macOS are written using the Electron platform, which is Chromium-based. However, since the apps were developed based on a vulnerable version of Chrome...Chrome 69 to be precise which is old compared to the latest version that is Chrome 78.
"Since Chromium 69 is relatively old, exploiting 1 1-day RCE is possible! There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution achieved," Weizman point out.