Apple's iOS is usually considered a more secured operating system that Google's Android. Unfortunately, its apps can make it different.
In this case, security firm PerimeterX discovered bugs in WhatsApp for iOS that allowed cybercriminals to peek into users' computer when the WhatsApp iOS app is paired with WhatsApp Desktop Platform app on either Windows PC or Mac.
The bugs that were found by the company’s security researcher, Gal Weizman, were located at WhatsApp’s Content Security Policy (CSP).
Weizman said that he was able to take advantage of the first flaw by sending a malicious code by manipulating WhatsApp's rich preview banner.
Here, hackers could manipulate code from where messages are formed in WhatsApp's desktop app, to create a link preview from a specially crafted text Message.
In the end, it allowed hackers to leverage Cross-Site Scripting (XSS) and also local file reading,
The flaws were serious, as hacker could see and steal stored sensitive documents on victims' machines.
In a blog post on PerimeterX's website, Weizman explained that:
"On WhatsApp the banner is being generated on the side of the sender and this is an important point to understand. One can easily tamper with the banner properties before sending it to the receiver."
In his research, the first thing he did was to craft a message that will include a legitimate looking banner, but instead will redirect to another domain by simply replacing the link. After succeeding that, he then experimented with this flaw to see if he can mess not only with the banner's link, but also to craft a message with a link that looks like it belongs open redirect. And again he succeeded.
And after some tweaks, he "gained a one-click Persistent-XSS". And from there, he discovered that CSP-bypassing was also possible, allowing him to have a full Cross Platform Read from the File System, plus a potentially a Remote-Code-Execution.
PerimeterX on its blog post said that:
According to Weizman, the most serious flaw was caused by Electron, a platform that allows developers to create "native" applications using standard web features. This makes things easy for a lot of big companies, since it allows their developers to have only one source code for both their web applications and native desktop applications.
Weizman found that WhatsApp was using Electron that was using Chrome 69, which had the XSS flaw.
This vulnerability was first found when Chrome 78 was the stable version. A few versions before Chrome 78, the ability to use the JavaScript trick was patched. What this means, if WhatsApp had updated its Electron web application from 4.1.4 to 7.x.x, the flaws wouldn't be found.
fetch() API, WhatsApp for example, could show the content of C:\Windows\System32\drivers\etc\hosts. (Credit: Gal Weizman / PerimeterX)Weizman suggests all companies that use rich preview banners crafted on the sending side, to always filter the receiving side.
This way, no malicious URL should be loaded on the receiver's side. He also said that CSP rules should be well configured.
And if using Electron, they need to make sure that it is updated with each update of Chromium.
"In 2020, no product should be allowing reading permissions from the File System with a potential for full remote code execution. Consumers should always be wary of the services they use as well," closed PerimeterX.
After PerimeterX privately contacted Facebook, the social giant announced on its page that it fixed this bug (CVE-2019-18426) in December 2019.
The social media giant said that the vulnerability was found in WhatsApp Desktop when it is paired with WhatsApp for iPhone, saying that it "allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message."
Affected versions include WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.
