A security flaw has been discovered on the WhatsApp web, where cyber criminals can send fake messages that will give them access to files on the victim’s computer.
Fault detection security researcher Gal Weisman pointed out that a malicious link can be hidden behind a misleading message, which is constructed like a link to a simple website.
Once users click on the link, it will launch a script that allows the attacker to retrieve files from the compromised computer and open the backdoor to possibly cause more trouble.
He noted that the web apps exploitation was caused by Facebook developing a WhatsApp desktop using the Electron software framework.
Electron is used by developers to build cross-platform apps based on browser technologies, and in this case it uses the Chrome browser’s Chromium engine, an older version of Chrome 69.
More recent versions of the Chromium engine – Chrome 78 and above – have been able to catch malicious code.
ArsTechnica reported that the vulnerability affects WhatsApp desktop versions of iPhone users from 0.3.9309 and earlier, who paired the desktop app with the iOS version of WhatsApp, which is older than 2.20.10.
Facebook has since made a patch to fix the issue.
Users are recommended to update the WhatsApp app on their computers and smartphones used to connect to the WhatsApp web.
whatsapp web app download
This flaw, first reported by Perimeter X researcher Gal Weisman, revealed a mix of several high-security vulnerabilities on the WhatsApp web.
According to the report, the WhatsApp web vulnerability is tracked as CVE-2019-18426, which allowed cross-site scripting (XSS).
This problem, which has reportedly been fixed by Facebook so far, could spark an open-redirect flaw, causing frequent cross-platform scripting attacks by sending some fabricated messages to WhatsApp users.
The report further notes that the vulnerabilities affect the desktop software of WhatsApp as of version 0.3.9309 and earlier, as well as those who linked the app with iOS versions of WhatsApp before 2.20.10 .
US National Vulnerability Data (NVD) also released a report describing the WhatsApp vulnerability:
A vulnerability in WhatsApp desktop versions before 0.3.9309 allows cross-site scripting and local file reading when paired with WhatsApp for iPhone versions before 2.20.10. The victim needs to click on the link preview from a specially prepared text message to uncover the vulnerability.
This is not the first WhatsApp bug reported in the near past. A few months ago, researchers at global cybersecurity firm Check Point reported that WhatsApp had taken a serious vulnerability in its phone app that caused a catastrophic message to be introduced into the chat by hackers the moment the group chat crashed, causing the entire group The chat was headed. History is being destroyed forever. Solution: Installing the latest version, or more accurately, deleting the application and reinstalling it on the phone.
The only way to clarify the recent vulnerability would be to update your desktop version and then update the app to the latest version on your Android and iOS phones. If you are not constantly updating it then such vulnerabilities creep into your app.
According to a Perimeter researcher, Gal Weisman, Facebook-owned instant messaging app WhatsApp has been infected with a new bug. The discovered enabled hackers to remotely vulnerability access files from whatsapp web and Windows or Mac computer.
The vulnerability is said to be an amalgamation of a number of faults that are in the desktop app of WhatsApp and even part of the WhatsApp web that works on web browsers like Google Chrome and Safari. Reportedly, WhatsApp’s content security policy (CSP) contained vulnerabilities that could be used to send manipulated messages and links using cross-site scripting (XSS). The researcher was able to tweak the url and send a malicious link instead of a legal link by including a valid looking banner..
The banner is being prepared by the sender on WhatsApp and this is an important point to understand. One can easily tamper with the banner properties before sending them to the receiver. Great recipe for trouble here, ”the researcher said. Explaining how he was able to build a malicious link, he wrote, “The first thing I did was to produce a message that would include a legitimate looking banner, but instead of changing the link to another domain But will redirect.
The WhatsApp provided in the US National Vulnerability Data to explains this vulnerability easily, “a vulnerability cross-site scripting in WhatsApp web desktop versions before web acess when paired with WhatsApp web for iPhone versions before 2.20.10. And allows local file reading. To expose the vulnerability, the victim must click on the link preview from a specially prepared text message.