Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
As businesses increasingly rely on social messaging apps such as WhatsApp for customer engagement, they must remain vigilant about these risks. As we learned from this research, malicious third parties can modify content and redirect users, putting the brand experience and user data at risk. All companies can follow a few best practices to protect themselves from similar security flawsin the applications they build:
- Regardless of whether link preview banners are generated on the sending or receiving side in your app, your filtering on the receiving side must be robust. Always verify URLs before they load on the receiving side.
- Ensure that your CSP rules are well-configured. By doing so, you are limiting the power of attackers to steal valuable information from users.
- Keep your infrastructure and dependencies up to date. If you build an application using Chromium, it is critical to update the chromium version, as vulnerabilities are being patched consistently. Otherwise, you leave your users vulnerable to serious exploits due to neglect.
These flaws in the WhatsApp framework reveal the potential for vulnerabilities in other messaging apps as well. All of the above precautions should be taken by decision-makers at every company with a messaging app. Take Weizman’s research and advice to heart, and harden your application. In 2020, no product should be allowing reading permissions from the File System with a potential for full remote code execution. Consumers should always be wary of the services they use as well.
For a more technical summary of this discovery, read Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access in the PerimeterX blog.