Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.
The desktop platform has more than 1.5 billion monthly active users. The high-severity bug (rated 8.2 on the CVSS severity scale) could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.
“A vulnerability [
CVE-2019-1842] in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting (XSS) and local file reading,” according to the National Vulnerability Database. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a
blog post, on Tuesday.
Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” according to Safruti, causing unsuspecting users to click on malicious links that appear to them like messages from a friend.
“These message modifications would be completely invisible to the untrained eye,” he wrote. “Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.”
However, the end game is remote code-execution — a potential outcome in some browsers, according to the researchers.
Bug Details
PerimenterX cybersecurity researcher and JavaScript expert Gal Weizman first discovered vulnerabilities leading to this latest bug in WhatsApp in 2017. He broke down the journey to discovering the latest flaw and its potential for leading to RCE in a separate post. He also said he has been working with Facebook, which owns and oversees WhatsApp, to fix the issues.
In his breakdown, Weizman showed how he started by tampering with the JavaScript for the rich preview banners of messages—the ones that include extra information regarding a link that is in the body of the message.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
In this way, it’s possible to inject links that redirect a user to malicious web pages or that initiate malware downloads. Further, the researcher discovered that he could also make those links look like authentic domain links — i.e., as if they really come from Facebook or other legitimate website.