New WhatsApp Bug could unleash XSS payload, CSP by-pass and data security threats

Multiple new high level vulnerabilities in WhatsApp Desktop App allows cyber criminals to execute arbitrary codes, cross-site scripting (XSS), load payloads and more. Discovered by Gal Weizman, researcher and javascript expert at PerimeterX, the flaw is compromising the world’s biggest messaging platform.

In this article, we’ll see how this WhatsApp’s Desktop App is vulnerable and how can users mitigate the threat from the cyber criminals.

What is the new WhatsApp bug?

According the Weizman blog post, this new WhatsApp bug (tracked as CVE-2019-18426) is an open direct flaw that could allow cyber criminals send a specially crafted messages to execute a persistent XSS attacks, upload payloads and read sensitive information. These multiple high level vulnerabilities exists in the web version of the WhatsApp particularly because they are powered by the electron-based cross-platforms apps for desktops. 

When a user reads this specially crafted message over the browser, by opening the WhatsApp web, then the attacker can remotely execute arbitrary codes in the context of WhatsApp web and read sensitive information.

Other reasons behind the WhatsApp bug

Misconfigured Content Security Policy (CSP) in the WhatsApp web domain is another reason behind this bug, allowing the attackers to execute XSS payloads hassle-free using an isolated attacker controlled website and iframe. 

With the rightly configured Content Security Policy, the threat from XSS payloads and CSP by-pass could be reduced. 

PoC of the attack

The below image shows how an attacker could access the contents of the victim’s computer using the remote file read attack on WhatsApp Web. Read the complete details of the attack in Weizman’s blog post.

Suggestions

If your app is used to a rich preview banner especially those that are crafted from the sender, then those banners and URL’s need to be scrutinized effectively for threats. Any anonymous links, code executions on the client side should ring the bell.

Robust CSP configurations will lessen the power of XSS payload and CSP by-pass attack.

If you’re using Electron make sure you update them along with the Chromium updates, an outdated Electron with the updated Chromium is of no use and is still vulnerable to external threats like XSS.

How to fix the WhatsApp bug?

As usual, a patch will fix the vulnerability and Facebook has already patched this WhatsApp bug. Please make sure the above suggestions are followed when configuring CSP, and ensure Remote Code Execution vulnerabilities can be reduced at least not with a single message.

If you’re using the WhatsApp web version please update it immediately with the above patch, and ensure your data stays secured.