WhatsApp Web, a bug allows hackers to steal data from PC

A computer researcher has discovered a vulnerability that affects WhatsApp Web and allows hackers to access PC data. How to defend yourself

Using WhatsApp Web on a Windows PC or a Mac to exchange messages with a WhatsApp user on an iPhone: an eventuality that is anything but remote but that, apparently, is not without risk. Gal Weizman, programmer and researcher at PerimeterX, has discovered it.

Weizman has in fact discovered a vulnerability in WhatsApp Web, classified as CVE-2019-18426, that would have allowed a malicious user to remotely read the files of the victim's computer thanks to a link sent through a WhatsApp message. Facebook acknowledged the vulnerability, specifying that it only affects WhatsApp Web versions prior to 0.3.9309 when interacting with WhatsApp iPhone versions prior to 2.20.10, and released a fix. To "open the floodgates" to a hacker, basically, all they had to do was click on a link they received on WhatsApp.

Vulnerability WhatsApp Web

Weizman explained that he was able to perform a cross-site (XSS) attack and also bypass WhatsApp's content security policy (CSP), and thus read files on the remote computer (on both Windows and Mac). An XSS attack allows a hacker to remotely execute malicious code inside the user's browser and access their data. Weizman also managed to tamper with messages sent by WhatsApp Web in response to other received messages, especially those containing a link preview. This is precisely how he managed to send the dangerous link, without the user being able to notice anything.

What is at risk?

Wizman discovered this very serious WhatsApp Web bug in late 2019 and submitted it to Facebook, in order to get the reward provided by the company's bounty program. Facebook had no choice but to admit the bug and fix it, writing a $12,500 check to the researcher. The bug fix arrived on January 21, 2020, and soon after, Weizman was able to disclose his discovery to the world. Bounty programs, in fact, work just like this: whoever discovers a flaw avoids making it public and communicates it only to the company that produces the software with the bug. In a short time the company, in this case Facebook, solves the problem and thanks with a financial reward those who discovered the bug and waited for the publication of the patch before talking about it publicly.