The desktop platform has more than 1.5 billion monthly active users. The high-severity bug (rated 8.2 on the CVSS severity scale) could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.
“A vulnerability [CVE-2019-18426] in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting (XSS) and local file reading,” according to the National Vulnerability Database. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a blog post, on Tuesday.
Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” according to Safruti, causing unsuspecting users to click on malicious links that appear to them like messages from a friend.
However, the end game is remote code-execution — a potential outcome in some browsers, according to the researchers.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
In this way, it’s possible to inject links that redirect a user to malicious web pages or that initiate malware downloads. Further, the researcher discovered that he could also make those links look like authentic domain links — i.e., as if they really come from Facebook or other legitimate website.
“This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way:
https://USERNAME:PASSWORD@DOMAIN.COM. One can abuse this, as I just did, and replace the username and password with anything else:
https://DOMAIN-A.COM@DOMAIN-B.com and it’ll still work. Firefox is the only browser that warns users, by default, In case this method is used without providing a username and password.”
Weizman continued probing the vulnerability to eventually bypass WhatsApp’s Content Security Policy (CSP) rules to enhance the power of the persistent XSS, which he managed to do by using Google’s CSP Evaluator. There, he discovered that the CSP lacked the object-src directive.
“Since object-src directive is missing [in the CSP], it means I can use object to load an iframe(ish) to any origin of my choice,” he wrote in the post. “That way I’ll be able to run any external code with no size limits and no problems.”
Weizman then showed how he executed malicious code on the web.whatsapp.com domain by using the XSS exploit to load the aforementioned iframe. That opens up the potential for RCE, he said.
“I then use the iframe to post a message to the top window with the content of the external code,” he explained. “The top window, where the XSS was executed, receives the message from the iframe, parses the external payload provided by it and executes it in its context (web.whatsapp.com). Win! External payload was successfully fetched and executed in the context of WhatsApp!”
The entire attack can be executed with one click from the user on the altered rich preview message.
Weizman stressed the importance of an app’s CSP rules, which could have prevented the vulnerability from being exploited in the first place.
“If the CSP rules were well configured, the power gained by this XSS would have been much smaller,” he wrote. “Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more!”
WhatsApp’s desktop platform certainly isn’t the only version of the popular messaging service to contain vulnerabilities. Last year alone, researchers found a number of flaws in the more widely used mobile app version of WhatsApp that have allowed for remote code execution, the delivery of spyware, and exposure of personal media files, among others.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.