Expert discovers WhatsApp vulnerability allowing hackers to access data
- By Web Desk -
- Feb 06, 2020
A cybersecurity expert has unearthed a vulnerability in WhatsApp Web for desktop computers that exposes the private files of users to hackers.
The flaw was found by JavaScript expert Gal Weizman, and affects users with an iPhone paired to WhatsApp Web.
Weizman exploited a weakness in WhatsApp’s Content Security Policy, which allowed normal security measures to be bypassed.
Weizman was able to find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross-site scripting (XSS) on the desktop app.
This also allowed him to gain read permissions from the local file system on both Mac and Windows desktop apps. Long story short, unsuspecting users could be subject to harmful code or links injected into their seemingly innocuous exchanges.
These message modifications would be completely invisible to the untrained eye. Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow.
This bypassed filters and sent the modified message through the app, as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
The vulnerability reported to WhatsApp by Weizman and fixed in December could have given hackers access to private files, photos, and videos stored on a computer.
Read More: UN says officials barred from using WhatsApp
WhatsApp claims there are no known cases of a criminal exploiting this vulnerability to hack a customer.
Remedy to avoid WhatsApp hacking:
He, however, also gave advice on how to avoid any malicious content.
He said that they should look for text that might appear more like a piece of code than like legitimate text.
The malicious message can only work if it contains the text “javascript:”, so users should be wary of this slip-up if code is visible.
Users should exercise caution and avoid opening any links sent by unknown accounts. Preview banners and URLs can be misleading—even if these seem to be legitimate, users should only open them when received from a trusted source.