WhatsApp Bug Could Have Allowed Attackers to Remotely Access Files on Your Desktop

The WhatsApp vulnerability has been tracked as CVE-2019-18426.

Advertisement
By Jagmeet Singh | Updated: 5 February 2020 11:17 IST
Highlights
  • WhatsApp desktop application vulnerability is classed as “high”
  • It impacted WhatsApp Web client to some extent as well
  • WhatsApp users are recommended to install the latest desktop version

WhatsApp desktop application versions prior to 0.3.9309 are affected by the newly reported vulnerability

WhatsApp has been discovered to have a critical vulnerability that could have allowed attackers to remotely access files from a Windows or Mac computer. The vulnerability, which has been fixed by Facebook, could be exploited using the WhatsApp desktop application. It was a mix of multiple high-severity flaws that existed within the WhatsApp desktop application. Some of those flaws were also a part of the WhatsApp Web client that works on Web browsers. The vulnerability essentially allowed for cross-site scripting (XSS) that could be used by remote attackers.

PerimeterX researcher Gal Weizman discovered the WhatsApp vulnerability that has been tracked as CVE-2019-18426. The researcher stated that the security loophole existed within the Content Security Policy (CSP) of WhatsApp that allowed for XSS attacks on the desktop app. The flaw in the CSP also impacted the WhatsApp Web client to some extent as it provided space to alter rich preview banners with malicious content.

Advertisement

The researcher in a blog post mentioned that the Web client was vulnerable to an open-redirect flaw that could have led to persistent cross-site scripting attacks triggered by sending specially crafted messages to WhatsApp users.

However, the scope of the loophole is found to be quite wider on the WhatsApp desktop application over what was discovered on its Web client. The researcher found that he was able to read the file system and identify the remote code execution (RCE) potential on the desktop application. The only thing that the affected WhatsApp users had to do was to click on the specially crafted message to provide backdoor access to attackers.

Advertisement

"For some reason, the CSP rules were not an issue with the Electron based app, so fetching an external payload using a simple JavaScript resource worked," Weizman explained in the blog post.

The researcher demonstrated an attack that could take place using the vulnerability by showing a screenshot highlighting the content of the hosts file fetched from a victim's computer remotely using the WhatsApp desktop application.

Advertisement

WhatsApp vulnerability on its desktop has been demonstrated
Photo Credit: PerimeterX

Advertisement

 

Facebook patched the vulnerability upon receiving an alert from Weizman last year. Moreover, the vulnerability is classed as “high”.

"A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message," reads the description of the WhatsApp vulnerability provided in the US National Vulnerability Data (NVD).

Late last month, the NVD site revealed that WhatsApp disclosed as many as 12 vulnerabilities in 2019, including seven “critical” ones. The number of vulnerabilities disclosed was significantly higher than the one or two security flaws the instant messaging app reported in the past few years.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Sony LinkBuds Clip With Up to 37 Hours of Battery Life Launched in India
  2. God of War Laufey Will be Available on Disc, Santa Monica Studio Confirms
  3. Moto G77 Power With a 7,000mAh Battery Goes on Sale in India: See Offers
  4. These OnePlus Tablets Are Now More Expensive in India
  5. Samsung Could Prioritise This Phone Over the Galaxy Z TriFold 2
  6. What TRAI Said About Its Mandate On 1600 and 140 Series Phone Numbers
  1. Redmi Turbo 6 Series Chipset Details Leaked, Could Be Equipped With 10,000mAh Battery
  2. Bonzo Lend Hit by $9 Million Oracle Exploit on Hedera Network
  3. Samsung Galaxy Z TriFold 2 Could Be Delayed as Company Plans Slidable Phone's Debut, Tipster Claims
  4. TRAI Confirms 1600 and 140 Series Phone Numbers Cannot Be Tagged, Filtered
  5. Sony LinkBuds Clip Launched in India With Open-Ear Clip Design, Up to 37 Hours of Battery Life: Price, Features
  6. Assassin's Creed Black Flag Resynced Sells 2 Million Copies on Launch Day
  7. Google Pixel 11 Pro Fold Spotted in Pine Colourway Ahead of Made by Google Event
  8. Bitcoin Holds Near $63,000 Despite Renewed Geopolitical Tensions
  9. Moto G77 Power With 7,000mAh Battery, 50-Megapixel Camera Goes on Sale in India: Price, Offers
  10. OnePlus Pad Go 2, Pad Lite Price in India Increased Amid Ongoing RAM Shortage
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.