Man clicking Whatsapp icon on mobile showing the new WhatsApp security flaw that makes the desktop version vulnerable to remote takeover via malicious messages
New WhatsApp Security Flaw Makes the Desktop Version Vulnerable to Remote Takeover via Malicious Messages by Scott Ikeda

New WhatsApp Security Flaw Makes the Desktop Version Vulnerable to Remote Takeover via Malicious Messages

If you use WhatsApp on your desktop or laptop, you’ll definitely want to update to the latest version ASAP. Researchers have found a new WhatsApp security flaw that allows remote access to your computer via nothing more than a message with some code snippets in it.

Once you open one of these messages, the WhatsApp security flaw enables hackers to both rifle through your account and remotely access files on your PC.

What’s up with WhatsApp?

If your WhatsApp client isn’t updated to the latest version (0.4.612.0 as of this writing), definitely do not open messages from anyone you don’t know and trust. Simply opening the message can be enough for the new WhatsApp security flaw to be exploited. The bug is present in version 0.3.9309 (which was replaced in December) and all prior versions.

This bug discovery was the result of over two years of testing by PerimeterX researcher Gal Weizman. Weizman began by playing with changing the text of WhatsApp messages while in transit, but eventually found that he could force rich preview banners (the links to websites that pop up in a box with a preview image when certain URLs are entered) to appear as well.

That aspect of the WhatsApp security flaw would allow an attacker to mask malicious links with a preview of a seemingly legitimate and familiar site, and could be leveraged against any WhatsApp user by enticing them to click through. But there is a further vulnerability that is even more dangerous, and capable of exploiting those with browsers that do not automatically block JavaScript attempts to redirect to a URL.

Weizman was eventually able to craft a cross-site scripting attack that would hide an automatic redirect to an attack site in a seemingly innocuous preview banner. If the user’s browser or antivirus software does not stop the automatic redirect, the user is compromised by the attack site simply by opening the malicious message. This could also grant read permissions, allowing the attacker to open and browse the local file system on the target’s machine.

The bug at the root of the WhatsApp security flaw traces back to Google’s Chromium framework, which underpins WhatsApp. A similar flaw in Chromium was discovered by security researchers and patched out some time ago, but WhatsApp uses a variant framework called Electron that is apparently still running on old Chromium code.

Protection and recovery from the WhatsApp security flaw

The breach window on this flaw potentially dates back to the launch of the WhatsApp desktop client in 2016, and it is still active in older versions of the software that have not been updated. It is unclear if any bad actors managed to come upon this avenue of attack before Weizman disclosed it, but the world is aware of it and capable of using it on outdated clients now.

The best solution at the individual level is simply updating to the latest desktop version of WhatsApp. If the user has antivirus software or a browser (such as a recent version of Google Chrome) that verifies JavaScript URLs before loading or simply blocks them outright, they may be protected even if they open a malicious message.

At the organizational level, PerimeterX suggests setting a policy of verifying all URLs before they load on the receiving side and configuring content security policy (CSP) rules to thwart cross-site scripting attacks. This incident also makes clear that anything else running on an outdated version of Chromium needs to be updated immediately to curtail similar security vulnerabilities.

The mobile app does not appear to be affected by the WhatsApp security flaw, unless iOS users paired it with desktop app versions prior to 2.20.10 (which was released in mid-January 2020).

Is WhatsApp safe?

User safety has long been one of the central marketing points of WhatsApp. The app does not store user messages or voice recordings on any servers, and automatically encrypts all communications in such a way that even WhatsApp staff does not have access to it. The app was briefly banned in Brazil in 2015 and 2016 for refusing to allow the government to monitor citizens through it.

But 2019 was a rough year for security incidents at Facebook and its bigger subsidiaries, and WhatsApp was not spared from this trend. In May, hackers managed to get the sophisticated Pegasus spyware onto the platform. This is believed to have been used by the Indian government to surveil officials, activists, journalists and other parties of interest in the weeks leading up to the country’s national elections.

Another WhatsApp security flaw involving the messaging system surfaced in October of 2019, allowing attackers unauthorized access to accounts by way of a malicious GIF file. This unusual attack type exploited a vulnerability in the WhatsApp image loading system; once the trojan GIF was in the target’s WhatsApp gallery, opening it or any other image file with the app would cause a memory allocation error. This bug was discovered by an anonymous security researcher, was not known to have been exploited by any threat actors and was patched out immediately.

Researchers were able to exploit #WhatsApp #security flaw that allows them to hide an automatic redirect to an attack site in a preview banner. #respectdataClick to Tweet

WhatsApp is still considered to be one of the safer mass-market options in terms of data privacy, but incidents such as this serve as a reminder that any platform can have bugs and security flaws lurking below the surface waiting to be discovered.