This is how a critical WhatsApp fault that your files can take

This is how a critical WhatsApp fault that your files can take

WhatsApp has been targeted by experts in recent months, not only because of the serious medical violation suffered by Jeff Bezos, but also because of reports that indicate several vulnerabilities during 2019.

It is just one of those failures of last year, discovered in the month of August, that allows the messenger service to access your Windows or Mac files if you were using the web version.

After the discovery of the vulnerability by the people of Checkpoint, the javascript expert, Gal Weizman, dedicated himself to investigate this security issue, and showed interesting conclusions of that study, such as, for example, that the web version of the platform Messenger is made with Electron, a tool that allows you to create web-based apps, which is also a fairly recurring standard as a code for other platforms.

In addition, Electron is based on Chromium, the Google Chrome engine which, like any other software, has security issues.

The first thing that Weizman discovered with this background is that, “By using the WhatsApp website, I can find the line of code where the object containing the message metadata is formed, manipulate it and then let the application continue in its natural flow of I send messages, thus creating my message by ignoring the user interface filtering mechanism. ”

Then I discovered, as it happened in the Bezos hacking, that by inserting a link from a web address, you could manipulate the final objective, that is, redirect to any site that I wanted, with a disguise and an address that looked like the real one on top: "One can easily manipulate the properties of the banner before sending it to the receiver."

Sample screen whatsapp violation

Then using javascript, I was able to insert the XSS malicious code.

“Fortunately for WhatsApp, Chromium-based browsers added a defense mechanism against javascript:URI just when I found this vulnerability. Unfortunately for WhatsApp, in other browsers such as Safari and Edge, this vulnerability was still open. "

Finally, it introduced a way to violate WhatsApp Content Security Policy (CSP), which is another layer of security.

WhatsApp Vulneracin

The conclusions of Gal Weizman after doing this on his own were:

  1. If your application uses rich preview banners and those banners are designed on the sending side, your filtering on the receiving side should be perfect. You cannot allow extra URLs to be loaded on the receiving side without making sure they are legitimate.
  2. The CSP rules are very important and may have prevented much of this disaster. If the CSP rules were well configured, the power obtained by this XSS would have been much lower. Being able to avoid the CSP configuration allows an attacker to steal valuable information from the victim, easily load external payloads and much more!
  3. If you are going to use Electron, you MUST make sure that it is updated with each Chromium update. And this is so important: Chromium updates are not just interesting new features, in most Chromium updates, serious vulnerabilities are being repaired. When Chromium is updated, your Electron-based application should also be updated, otherwise, leave your users vulnerable to serious vulnerabilities for no reason.

Editor Recommendations