- WhatsApp discovered with another severe XSS vulnerability (CVE-2019-18426)
- The flaw can be triggered by tampering with ‘link preview’ banners
- Exploit could lead to reading local files, installing malware, ransomware and RCE
- Perimeterx found the flaw, Facebook patched it
- Users advised to update their apps and desktop web browsers
- WhatsApp for iPhone versions prior to 2.20.10 affected
Remember the time WhatsApp was all the rage among the smartphone users, from the milkman to the filmstars.
It still is, but lately, the revolutionary application that made SMS obsolete and changed the way we text has been in news for all the wrong reasons.
It’s no surprise that the most widely used technology is also the most widely exploited one and WhatsApp has seen several severe attacks that have forced people to question its security and consider the risks that digitalisation carries.
Read this article to know what is the new severe security hazard your favourite texting app has been hosting.
Vulnerability in WhatsApp Desktop
Marked as CVE-2019-18426, WhatsApp has a critical flaw that allows an attacker to read local files from your device when you are using the WhatsApp desktop app paired with your WhatsApp for iPhone.
The flaw rated as highly severe with a score of 8.2 allows the attacker to do cross-site-scripting (XSS), one of the most common types of cyberattacks.
By modifying the Java Script of a message before sending it to the victim, an attacker can cause a fatal blow to the innocent user.
Both the links and the content of the message can be manipulated to exploit.
Triggering the vulnerability requires you to interact, i.e. clicking a link preview in a manipulated message, in this case.
The link preview is the banner that is generated when you share a link on WhatsApp.
More about CVE-2019-18426
Gal Weizman, a cybersecurity expert from PerimeterX discovered the vulnerability.
He started looking into the app when he came across some flaws that allowed hackers to tamper with the message content.
Gal soon figured out a way to inject malicious payload in a message using his hacking skills.
By bypassing WhatsApp’s Content Security Policy and launching Cross-Site Scripting, Gal was able to blow his own mind and read local files.
The vulnerability resides in the way that WhatsApp filters and allows the ‘link preview’ banners on the receiver’s end without verifying them properly.
What is the potential loss and how can you avoid it?
Phishing, installing malware and ransomware, stealing sensitive information, remote code execution, are all just different names of getting into ‘major trouble’.
Facebook has patched the flaw as soon as possible but possibilities of 0-day attacks cannot be ruled out yet.
Seeing how motivated bad actors are always ready to jump at newfound vulnerabilities, several important individuals could be at risk.
Not to mention that WhatsApp is used by billions of people around the world, like you and us, who are all put under the danger of being severely attacked, unless they update their applications.
“Affected versions are WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10,” clarified Facebook. Both Windows and MacOS are affected by the flaw.
Here’s what you can do to protect yourself from potential attacks:
- Check if your web browser is updated. In Google Chrome, go to Settings > Help > About Chrome and update if necessary.
- Update your WhatsApp immediately.
- Ignore messages from strange phone numbers.
- Stay clear of any web links and their banners shared by people.
Recently, the world’s richest man was found to be hacked by Saudi Arabian prince through a WhatsApp video.
Let us know what you think about the growing security loopholes in WhatsApp?
Share this with your friends and family as soon as possible. Tell us your opinions in the comments section below.
Stay tuned, stay safe.