Skip to main content

WhatsApp fixes bug that could have allowed hackers to read your desktop files

WhatsApp patched a security loophole in its desktop apps last month that could have potentially allowed hackers to access your computer’s local files. Discovered by a cybersecurity researcher at PerimeterX, the vulnerability affected the messaging service’s Windows and Mac clients when they were paired with an iPhone.

The flaw was found inside WhatsApp’s Content Security Policy, an extra security layer companies often employ to prevent a certain set of attacks and made possible for malicious actors to manipulate messages and links through a method called Cross-Site Scripting.

When a user would tap on one of these adulterated texts, they would unknowingly grant the attacker permissions to read their computer’s local files, as well as to inject malicious codes. While the vulnerability did require interaction from the user to function, it was possible to execute it remotely.

“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message,” parent company Facebook wrote in a security advisory.

The bug affects WhatsApp Desktop builds prior to v0.3.9309 and WhatsApp for iPhone versions prior to 2.20.10. It was fixed on 21st January 2020. Therefore, to ensure you’re safe, go ahead and update the WhatsApp app on your computer and iPhone.

“Older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. Other browsers such as Safari are still wide open to these vulnerabilities,” explained PerimeterX’s founder and CTO, Ido Safruti.

The vulnerability doesn’t impact Android because unlike iOS, it has additional protections in place against Javascript banners. “iOS omitted this check, which enabled banners with malicious content to load on iOS devices,” added a PerimeterX spokesperson.

In the last year, WhatsApp has had a hard time keeping security vulnerabilities out. In November, the Facebook-owned messaging giant patched a flaw that could have let hackers take control of a phone with just an MP4 file. A few weeks back, it was found that that same bug also compromised Amazon’s Jeff Bezos’ phone and sensitive data. Telegram’s CEO later, in a scathing blog post, accused WhatsApp of deliberately planting backdoors for law enforcement agencies and masking them as bugs when caught.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
WhatsApp launches crypto-powered mobile payments in the U.S.
WhatsApp Messenger on an iPhone.

WhatsApp has launched a digital payments pilot in the U.S., allowing a limited number of people to send and receive money with the same ease they would a regular message. This payment feature is powered by the Meta-owned Novi digital wallet service, which uses Pax Dollars (USDP) to facilitate transfers, and they all go through instantly.

Meta launched Novi back in 2020, saying, "With Novi, sending money will be as easy as sending a message. You’ll be able to use Novi as a stand-alone app, as well as in Messenger and WhatsApp. There will be no hidden charges to add, send, receive or withdraw money, and your transfers will arrive instantly. All Novi customers will be verified using government-issued ID, and fraud protections will be built in throughout the app."

Read more
WhatsApp upgrades its disappearing messages feature

WhatsApp will now allow you to make your messages vanish for all new chats. It's a feature that means that all messages sent within a conversation will disappear after a period of time, with the company letting you choose between a day, a week, or three months.

"As more of our conversations move from face-to-face to digital, we acknowledge there is a certain magic in just sitting down with someone in-person, sharing your thoughts in confidence, knowing you are both connecting in private and in that moment. The freedom to be honest and vulnerable, knowing that conversation isn’t being recorded and stored somewhere forever," the WhatsApp team explained.  The feature is rolling out now on iOS and Android. Enabling it is done by opening the WhatsApp settings and navigating to Account>Privacy>Default Message Timer.

Read more
WhatsApp finally enables its long-awaited multidevice feature for certain users
WhatsApp chat transfer on Mac and iPhone.

After Meta's Mark Zuckerberg confirmed that WhatsApp would be receiving multidevice support this year, WhatsApp has finally unveiled the feature, though with certain limitations.

The new multidevice feature has been rolled out to all users on iOS and Android who are using the WhatsApp business app or WhatsApp Beta for Android with either version or 2.21.23.

Read more