A cybersecurity researcher has discover several security flaws in WhatsApp. Revealing that one of the most use messaging apps is not as secure as previously thought.
PerimeterX’s Gal Weizman use his JavaScript expertise to find multiple vulnerabilities in the popular messaging app that could leave users at risk of attacks by allowing both text content and links in website previews to be spoofed to display fake content and modifi links that point to malicious destinations.
The vulnerabilities found in the WhatsApp desktop app
Can be use to aid phishing campaigns, spread malware and potentially even ransomware to put millions of users at risk, as the messaging service currently has over 1.5 billion monthly active users.
By finding a loophole in the Content Security Sweden WhatsApp Number List Policy (CSP) use by WhatsApp, Weizman was able to enable bypasses as well as cross-site scripting (XSS) on the messaging service’s desktop app. This allow him to gain local file system read permissions on the Mac and Windows desktop apps.
By exploiting these flaws, hackers could target unsuspecting users with malicious code or links injecte into their messages. To make matters worse, these message notifications would be completely invisible to the untrained eye. These types of attacks are possible by simply modifying the JavaScript code of a single message before it is delivered to its recipient.
Using the WhatsApp desktop platform
Weizman was able to find the code where the messages WhatsApp Number Database are form, tamper with it, and then let the app continue to send those messages as usual. This bypass the filters and sent the altere message through the app as usual, where it look relatively normal in the user interface. Weizman even discover that website previews, which are display when users share web links, can also be tamper with before being display.
To avoid falling victim to this type of attack. WhatsApp Bulk Database users should look for text that might look more like a piece of code than legitimate text. Additionally, a malicious message can only work if it contains the text “javascript.” So users should also look for it if the code is visible. Finally, users should exercise caution and avoid opening links sent by unknown accounts.
