A Bug in WhatsApp's Desktop App Allowed Hackers to Read Local Files

Cyber-security researchers take identified a critical JavaScript vulnerability in the WhatsApp desktop app prior to versions 0.iii.9309. Originally discovered by Gal Weizman of PerimeterX, the vulnerability affects both the Windows and Mac versions of the app, and could potentially permit cyber-criminals to inject malware or perform remote lawmaking execution using seemingly innocuous messages.

According to the National Vulnerability Database, the vulnerability (CVE-2019-1842) "when paired with WhatsApp for iPhone versions prior to 2.20.10, allows cross-site scripting and local file reading." In essence, it allows cyber-criminals to execute phishing or ransomware campaigns through notification letters that appear normal at commencement sight.

The most critical vulnerability manifestly allowed attackers to merely send some malicious JavaScript in a WhatsApp message to take control over a target device remotely and read local files.

WhatsApp'due south desktop applications, which demand to exist paired with the Android or iOS version of the app to piece of work, are built using spider web-browser technology with the Electron framework. Every bit it turns out, WhatsApp developers were using an old, out-of-date version of Chromium (version 69), which was already known to have these vulnerabilities. The standard do is to always update the lawmaking with the latest version of Chromium while using Electron, as per Weizman.

WhatsApp's desktop apps take more than one.5 billion users globally, and it isn't immediately articulate as to how many of them are affected by the issue. Facebook has already updated the software with the requisite patches, so the latest version should exist free from the problem.

As mentioned already, WhatsApp Desktop v0.iii.9309 and earlier versions are affected by the vulnerability, so yous should update to the latest version as soon as possible. Y'all can as well learn more than about the effect from Weizman's report on the official PerimeterX blog.