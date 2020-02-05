WhatsApp fixed a vulnerability in its desktop apps last month that could have allowed hackers to access your computer’s local files. The vulnerability was discovered by a cyber security researcher at PerimeterX and affected the Windows and Mac clients of the messaging service when they were paired with an iPhone.

The bug was found in the WhatsApp content security policy, an additional layer of security that organizations often use to prevent certain types of attacks, and which allows malicious actors to manipulate messages and links using a method called cross-site scripting.

When a user taps on one of these fake texts, he unwittingly grants the attacker permission to read his computer’s local files and insert malicious code. The vulnerability required user interaction, but could be run remotely.

“A vulnerability in WhatsApp Desktop in connection with WhatsApp for iPhone enables cross-site scripting and local reading of files. To exploit the vulnerability, the victim must click a link preview in a specially crafted text message, ”Facebook wrote in a security advisory.

The bug affects WhatsApp desktop builds prior to version 0.3.9309 and WhatsApp for iPhone versions prior to version 2.20.10. The issue was resolved on January 21, 2020. Therefore, update the WhatsApp app on your computer and iPhone to ensure your security.

“Older versions of the Chrome Chrome framework from Google Chrome, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome offer protection against such JavaScript changes.” Other browsers like Safari are still very open to these vulnerabilities, ”said PerimeterX founder and CTO Ido Safruti.

Oddly enough, the vulnerability doesn’t affect Android phone owners. We contacted PerimeterX to understand why this is an exclusive iOS issue and will update the story as soon as we learn about it.

In the past year, WhatsApp has had great difficulty closing security holes. In November, Facebook’s own messaging giant fixed a bug that could allow hackers to take control of a phone with just one MP4 file. A few weeks ago, it turned out that this bug also affected Amazon’s phone and sensitive data from Jeff Bezos. The CEO of Telegram later accused WhatsApp in a devastating blog post about deliberately setting up back doors for law enforcement agencies and disguising them as bugs if they are caught.

