Home Articles How WhatsApp Bug Allowed Malicious Code-Injection

How WhatsApp Bug Allowed Malicious Code-Injection


A critical security bug was disclosed in WhatsApp that could allow a hacker to read files stored on a user’s device. Read on to know more…

A cybersecurity researcher has discovered multiple security vulnerabilities in WhatsApp revealing that it’s not as safe as once thought. A critical security bug was disclosed in WhatsApp that could allow a hacker to read files stored on a user’s device.

The Security Vulnerability
PerimeterX’s Gal Weizman used his JavaScript expertise to find multiple vulnerabilities in the popular messaging app that could leave users at risk of attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links which point to malicious destinations.

The security vulnerabilities found in the WhatsApp desktop app can be used to aid phishing campaigns, spread malware and potentially even ransomware to put millions of users at risk as the messaging service currently has over 1.5 billion monthly active users.

Research Findings
From a research work about a security flaw found in 2017 where an attacker could change the text of a person’s reply within WhatsApp, work by security researcher Gal Weizman of Perimeter X uncovered a number of other security issues. Depending on the particular flaw, Weizman was capable of performing persistent cross-site scripting (XSS) within WhatsApp, as well as being able to read the local file system of a recipient by sending a single message. The flaws were found to work on the desktop version of WhatsApp for macOS and Windows, which are typically paired to a mobile version, such as the iPhone app.

In their work, Weizman found issues within WhatsApp’s Content Security Policy that opened the door to abuse, with the flaws allowing an escalation of severity. On the low end this included manipulating the WhatsApp banner, which appears for messages that include extra information like a link to a website, with tampering of the message enabling it to appear to be linking to Facebook but in reality could include a malicious website URL.

Damage Control
Shortly after the claims were made, Facebook head of global affairs and former UK deputy prime minister Sir Nick Clegg insisted the app was secure. In an interview with the BBC, Clegg insisted WhatsApp’s encrypted messages could “not be hacked into” and that it couldn’t have been any change to the message in transit —which is apparently not the case. Exploitation of this WhatsApp client flaw could have easily led to the Bezos hack.

Security researchers were quick to point out that end-to-end encryption would not matter if the message itself is hazardous to open.

To prevent falling victim to this kind of attack, WhatsApp users should look for text that might appear more like a piece of code than like legitimate text. Also a malicious message can only work if it contains the text “javascript”, so users should look out for this as well if code is visible. Finally users should exercise caution and avoid opening any links sent by unknown accounts.


Please enter your comment!
Please enter your name here

54 + = 56