A vulnerability in the WhatsApp Desktop app could leave users exposed to cross-site scripting and local file reading.
According to a new report from Ars Technica, WhatsApp last month fixed a bug in its desktop app that allowed attackers to read files from your computer. A post published by security firm PerimeterX last night suggests the bug affected folks who used either WhatsApp’s Mac or Windows app paired with an iPhone.
The firm’s security researcher, Gal Weizman, found vulnerabilities in WhatsApp’s Content Security Policy (CSP) that could be exploited to send manipulated messages and links using Cross-Site Scripting (XSS). He was able to take advantage of these flaws to send malicious code or read files from a computer’s local file system.
The desktop platform has more than 1.5 billion monthly active users. The high-severity bug could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.
“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” parent company Facebook wrote in a security advisory.
More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a blog post, on Tuesday.
The bug affects WhatsApp Desktop builds prior to v0.3.9309 and WhatsApp for iPhone versions prior to 2.20.10. It was fixed on 21st January 2020. Therefore, to ensure you’re safe, go ahead and update the WhatsApp app on your computer and iPhone.