Cyber Security Strategy

PerimeterX Researcher Finds Vulnerability in WhatsApp Desktop Platform

by

One of the most widely used messaging apps by consumers is not as safe as we once thought. By running a few different experiments in code modification, PerimeterX cybersecurity researcher and JavaScript expert Gal Weizman was able to discover multiple security vulnerabilities in WhatsApp (CVE-2019-18426), revealing the potential for widespread cyberattacks on its users. These weaknesses leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations. The vulnerabilities in the WhatsApp desktop app can be used to aid phishing campaigns, spread malware and potentially even ransomware to put millions of users at risk. For reference, WhatsApp has over 1.5 billion monthly active users, so attacks could be executed on a large scale resulting in grave implications.

Weizman was able to find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app. This also allowed him to gain read permissions from the local file system on both Mac and Windows desktop apps. Long story short, unsuspecting users could be subject to harmful code or links injected into their seemingly innocuous exchanges. These message modifications would be completely invisible to the untrained eye. Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.

Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.

Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities.

As businesses increasingly rely on social messaging apps such as WhatsApp for customer engagement, they must remain vigilant about these risks. As we learned from this research, malicious third parties can modify content and redirect users, putting the brand experience and user data at risk. All companies can follow a few best practices to protect themselves from similar security flawsin the applications they build:

  1. Regardless of whether link preview banners are generated on the sending or receiving side in your app, your filtering on the receiving side must be robust. Always verify URLs before they load on the receiving side.
  2. Ensure that your CSP rules are well-configured. By doing so, you are limiting the power of attackers to steal valuable information from users.
  3. Keep your infrastructure and dependencies up to date. If you build an application using Chromium, it is critical to update the chromium version, as vulnerabilities are being patched consistently. Otherwise, you leave your users vulnerable to serious exploits due to neglect.

There are also a number of steps that WhatsApp users can take to recognize messages that have been tampered with. They should look for text that might appear more like a piece of code than like legitimate text. The malicious message can only work if it contains the text “javascript:”, so users should be wary of this slip-up if code is visible. Users should exercise caution and avoid opening any links sent by unknown accounts. Preview banners and URLs can be misleading—even if these seem to be legitimate, users should only open them when received from a trusted source.

These flaws in the WhatsApp framework reveal the potential for vulnerabilities in other messaging apps as well. All of the above precautions should be taken by decision-makers at every company with a messaging app. Take Weizman’s research and advice to heart, and harden your application. In 2020, no product should be allowing reading permissions from the File System with a potential for full remote code execution. Consumers should always be wary of the services they use as well.

For a more technical summary of this discovery, read Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access in the PerimeterX blog.

PerimeterX is Named as a Leader in Bot Manangement by Forrester

Download Report
© PerimeterX, Inc. All rights reserved.