Written by Anthony Carballo
on February 07, 2020

A group of researchers has found several security flaws in WhatsApp that are threatening thousands of computers. One of them stands out from the others, and it is much more critical. Tracked under CVE-2019-18426, allows cross-site scripting (XSS) and local file reading through the WhatsApp application for the iPhone and the web version of WhatsApp, cybercriminals could access your computer by exploiting this vulnerability.

The leading cause of this security flaw lies in the use of an old version of Chromium for the desktop version of WhatsApp. Investigators have warned the company of the need to update the code to close that backdoor.

How it works

By manipulating code inside the WhatsApp Web version on the sender side, they created a proof of concept (PoC) to prove the security flaw. First, they crafted a fake link that seems to direct a Facebook page, even has the banner on it, but if you look closely at the link, it redirects to a shortened address with bit[.]ly, leading the user to a server that can potentially contain malware and would be installed on the victim's computer, most users wouldn't notice it. They would trust that it is something from Facebook or whatever banner attackers wanted to put on it.

Then, due to a misconfiguration in the content security policy (CSP) on the WhatsApp web domain also allowed loading XSS payloads of any length using an iframe from a separate attacker-controlled website on the Internet. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads, and more.


WhatsApp is a top-rated application; it has been adopted in several companies as a way to communicate with costumers and so to provide customer service. There are cases where it is used as an "internal" chat, and even to share files, adversaries know this, and that is the reason why this application has been used as an attack vector, aiming corporations and users.

The vulnerability affects the CSP (Content Security Policy) system, which is a standard to prevent cross-site scripting (XSS) attacks. The method allows them to inject code and sequences into reliable-looking content.


Update the desktop version of WhatsApp if installed, since it affects both Windows and Mac.

Update the WhatsApp iPhone app is also needed in order to mitigate this vulnerability.

Also, it is always advisable to have a good antivirus on each of our devices. And not only good antivirus since they only detect what has already happened, but the best behavioral detection tool in the market, do yourself a favor and download CyberEasy for free!

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

Analísis de la necesidad de registrar eventos de PowerShell.

Amedida que continuamos desarrollando CyberEasy, nuestro equipo de ingeniería agregó muchas características para habilit...

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

The need for PowerShell logging and further analysis.

As we continue to develop CyberEasy, our engineering team added a lot of features for enabling, collecting and analyzing...

Phishing Vulnerability

COVID-19 y estafas

COVID-19 es uno de los temas más importantes en todo el mundo en este momento, y los ciberdelincuentes se están aprovech...