A critical security bug was disclosed in WhatsApp that could allow a hacker to read files stored on a user’s device. Read on to know more…
A cybersecurity researcher has discovered multiple security vulnerabilities in WhatsApp revealing that it’s not as safe as once thought. A critical security bug was disclosed in WhatsApp that could allow a hacker to read files stored on a user’s device.
The Security Vulnerability
The security vulnerabilities found in the WhatsApp desktop app can be used to aid phishing campaigns, spread malware and potentially even ransomware to put millions of users at risk as the messaging service currently has over 1.5 billion monthly active users.
From a research work about a security flaw found in 2017 where an attacker could change the text of a person’s reply within WhatsApp, work by security researcher Gal Weizman of Perimeter X uncovered a number of other security issues. Depending on the particular flaw, Weizman was capable of performing persistent cross-site scripting (XSS) within WhatsApp, as well as being able to read the local file system of a recipient by sending a single message. The flaws were found to work on the desktop version of WhatsApp for macOS and Windows, which are typically paired to a mobile version, such as the iPhone app.
In their work, Weizman found issues within WhatsApp’s Content Security Policy that opened the door to abuse, with the flaws allowing an escalation of severity. On the low end this included manipulating the WhatsApp banner, which appears for messages that include extra information like a link to a website, with tampering of the message enabling it to appear to be linking to Facebook but in reality could include a malicious website URL.
Shortly after the claims were made, Facebook head of global affairs and former UK deputy prime minister Sir Nick Clegg insisted the app was secure. In an interview with the BBC, Clegg insisted WhatsApp’s encrypted messages could “not be hacked into” and that it couldn’t have been any change to the message in transit —which is apparently not the case. Exploitation of this WhatsApp client flaw could have easily led to the Bezos hack.
Security researchers were quick to point out that end-to-end encryption would not matter if the message itself is hazardous to open.