WhatsApp has been targeted by experts in recent months, not only because of the serious medical violation suffered by Jeff Bezos, but also because of reports that indicate several vulnerabilities during 2019.
It is just one of those failures of last year, discovered in the month of August, that allows the messenger service to access your Windows or Mac files if you were using the web version.
In addition, Electron is based on Chromium, the Google Chrome engine which, like any other software, has security issues.
The first thing that Weizman discovered with this background is that, “By using the WhatsApp website, I can find the line of code where the object containing the message metadata is formed, manipulate it and then let the application continue in its natural flow of I send messages, thus creating my message by ignoring the user interface filtering mechanism. ”
Then I discovered, as it happened in the Bezos hacking, that by inserting a link from a web address, you could manipulate the final objective, that is, redirect to any site that I wanted, with a disguise and an address that looked like the real one on top: "One can easily manipulate the properties of the banner before sending it to the receiver."
Finally, it introduced a way to violate WhatsApp Content Security Policy (CSP), which is another layer of security.
The conclusions of Gal Weizman after doing this on his own were:
- If your application uses rich preview banners and those banners are designed on the sending side, your filtering on the receiving side should be perfect. You cannot allow extra URLs to be loaded on the receiving side without making sure they are legitimate.
- The CSP rules are very important and may have prevented much of this disaster. If the CSP rules were well configured, the power obtained by this XSS would have been much lower. Being able to avoid the CSP configuration allows an attacker to steal valuable information from the victim, easily load external payloads and much more!
- If you are going to use Electron, you MUST make sure that it is updated with each Chromium update. And this is so important: Chromium updates are not just interesting new features, in most Chromium updates, serious vulnerabilities are being repaired. When Chromium is updated, your Electron-based application should also be updated, otherwise, leave your users vulnerable to serious vulnerabilities for no reason.