If you are using the WhatsApp desktop application on a Mac or Windows PC, please apply the patch now. Previous versions are riddled with security holes, so if you are using WhatsApp for iOS, please update that as well.
"WhatsApp Desktop in combination with WhatsApp for iPhone is vulnerable to cross-site scripting and local file reading," Facebook explained in a brief security advisory posted in late January Facebook explained in a brief security advisory posted in late January. To exploit this vulnerability, users need to click on a link preview in a specially crafted text message."
The affected versions are "WhatsApp Desktop v0.3.9309 and earlier and WhatsApp for iPhone 2.20.10 and earlier," Facebook added.
However, the problem is not that simple. In a blog post yesterday (February 4), PerimeterX researcher Gal Weizman discovered at least five different ways to exploit the WhatsApp program on Mac and Windows, whether you use an iPhone or not WhatsApp desktop client needs to be updated.
The problem stems from the fact that WhatsApp was using an older version of Chromium (version 69) as the base of its application until the latest update. However, Chromium had long since been upgraded (current version is 80) and many known flaws had been fixed.
Many modern desktop applications such as Discord, Skype, Slack, Spotify, WhatsApp, and even Windows 95 emulators are built on top of Chromium browser technology. One of the advantages of this technology is that Macs, PCs, and Linux can all use the same software.
Israeli company Check Point previously discovered that drafts of WhatsApp messages can be broken apart on the desktop before they are sent.
Weizman put this research into action and had WhatsApp's desktop application (and in some cases the browser client for the WhatsApp website) play various pranks, such as redirecting WhatsApp users to dangerous websites, WhatsApp users to dangerous websites, to send malicious files to their computers, and even to infect them with malware. (Antivirus software may help prevent this from happening.)
Weitzman's blog post is worth a read. It is quite technical, but enjoyable to read. And surprisingly easy to understand. If you want to get a sense of how browser-based desktop applications work, this article is a good place to start.
Comments