A cybersecurity expert has unearthed a vulnerability in WhatsApp Web for desktop computers that exposes the private files of users to hackers.
Weizman exploited a weakness in WhatsApp’s Content Security Policy, which allowed normal security measures to be bypassed.
Weizman was able to find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross-site scripting (XSS) on the desktop app.
This also allowed him to gain read permissions from the local file system on both Mac and Windows desktop apps. Long story short, unsuspecting users could be subject to harmful code or links injected into their seemingly innocuous exchanges.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow.
This bypassed filters and sent the modified message through the app, as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
The vulnerability reported to WhatsApp by Weizman and fixed in December could have given hackers access to private files, photos, and videos stored on a computer.
Read More: UN says officials barred from using WhatsApp
WhatsApp claims there are no known cases of a criminal exploiting this vulnerability to hack a customer.
Remedy to avoid WhatsApp hacking:
He, however, also gave advice on how to avoid any malicious content.
He said that they should look for text that might appear more like a piece of code than like legitimate text.
Users should exercise caution and avoid opening any links sent by unknown accounts. Preview banners and URLs can be misleading—even if these seem to be legitimate, users should only open them when received from a trusted source.