A group of researchers has found several security flaws in WhatsApp that are threatening thousands of computers. One of them stands out from the others, and it is much more critical. Tracked under CVE-2019-18426, allows cross-site scripting (XSS) and local file reading through the WhatsApp application for the iPhone and the web version of WhatsApp, cybercriminals could access your computer by exploiting this vulnerability.
The leading cause of this security flaw lies in the use of an old version of Chromium for the desktop version of WhatsApp. Investigators have warned the company of the need to update the code to close that backdoor.
How it works
By manipulating code inside the WhatsApp Web version on the sender side, they created a proof of concept (PoC) to prove the security flaw. First, they crafted a fake link that seems to direct a Facebook page, even has the banner on it, but if you look closely at the link, it redirects to a shortened address with bit[.]ly, leading the user to a server that can potentially contain malware and would be installed on the victim's computer, most users wouldn't notice it. They would trust that it is something from Facebook or whatever banner attackers wanted to put on it.
Then, due to a misconfiguration in the content security policy (CSP) on the WhatsApp web domain also allowed loading XSS payloads of any length using an iframe from a separate attacker-controlled website on the Internet. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads, and more.
WhatsApp is a top-rated application; it has been adopted in several companies as a way to communicate with costumers and so to provide customer service. There are cases where it is used as an "internal" chat, and even to share files, adversaries know this, and that is the reason why this application has been used as an attack vector, aiming corporations and users.
The vulnerability affects the CSP (Content Security Policy) system, which is a standard to prevent cross-site scripting (XSS) attacks. The method allows them to inject code and sequences into reliable-looking content.
Update the desktop version of WhatsApp if installed, since it affects both Windows and Mac.
Update the WhatsApp iPhone app is also needed in order to mitigate this vulnerability.
Also, it is always advisable to have a good antivirus on each of our devices. And not only good antivirus since they only detect what has already happened, but the best behavioral detection tool in the market, do yourself a favor and download CyberEasy for free!