Written by Anthony Carballo
on February 07, 2020

A group of researchers has found several security flaws in WhatsApp that are threatening thousands of computers. One of them stands out from the others, and it is much more critical. Tracked under CVE-2019-18426, allows cross-site scripting (XSS) and local file reading through the WhatsApp application for the iPhone and the web version of WhatsApp, cybercriminals could access your computer by exploiting this vulnerability.

The leading cause of this security flaw lies in the use of an old version of Chromium for the desktop version of WhatsApp. Investigators have warned the company of the need to update the code to close that backdoor.

How it works

By manipulating code inside the WhatsApp Web version on the sender side, they created a proof of concept (PoC) to prove the security flaw. First, they crafted a fake link that seems to direct a Facebook page, even has the banner on it, but if you look closely at the link, it redirects to a shortened address with bit[.]ly, leading the user to a server that can potentially contain malware and would be installed on the victim's computer, most users wouldn't notice it. They would trust that it is something from Facebook or whatever banner attackers wanted to put on it.

Then, due to a misconfiguration in the content security policy (CSP) on the WhatsApp web domain also allowed loading XSS payloads of any length using an iframe from a separate attacker-controlled website on the Internet. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads, and more.


WhatsApp is a top-rated application; it has been adopted in several companies as a way to communicate with costumers and so to provide customer service. There are cases where it is used as an "internal" chat, and even to share files, adversaries know this, and that is the reason why this application has been used as an attack vector, aiming corporations and users.

The vulnerability affects the CSP (Content Security Policy) system, which is a standard to prevent cross-site scripting (XSS) attacks. The method allows them to inject code and sequences into reliable-looking content.


Update the desktop version of WhatsApp if installed, since it affects both Windows and Mac.

Update the WhatsApp iPhone app is also needed in order to mitigate this vulnerability.

Also, it is always advisable to have a good antivirus on each of our devices. And not only good antivirus since they only detect what has already happened, but the best behavioral detection tool in the market, do yourself a favor and download CyberEasy for free!

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability Threat report

CryptoAPI Spoofing Vulnerability, Windows flaw discovered by the NSA

Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the ...

Vulnerability Threat report

Linux bug – Adversaries can hijack your VPN connection

Security testers from the University of New Mexico discovered a vulnerability, tracked as CVE-2019-14899, that can be ex...


Dexphot - Why Your Antivirus Isn't Enough.

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based ...