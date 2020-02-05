If you use WhatsApp on a Mac, you want to make sure that the desktop app has been updated to the current version 0.4.316. This closes a very nasty security hole.

The vulnerability was discovered by security researcher Gal Weizman. It is based on an earlier edition in which answers could fake the original text …

A threat actor can use the quotation marks feature in a group conversation to change the identity of the sender, even if that person is not a member of the group, and the text of another person’s response, essentially speaking words.

There is no solution for this. This made Weizman think. If you can mess with text, why not with a link?

The actual exploit is fairly complicated, but the bottom line is that an innocent-looking link in a WhatsApp message invisibly redirects people to a malicious website and then executes JavaScript code.

He was then able to get this malicious code for reading files from a Windows PC or Mac.

These types of applications are written using Electron. Electron is a cool platform that lets you create “native” applications using standard web features. This makes things very easy for many large companies because they can have source code for both their web applications and native desktop applications. Electron is constantly updated along with the platform on which it is based: Chromium.

That means that my XSS works, because it is a variant of chrome! (…)

Right – Chrome / 69 – The latest version of WhatsApp’s WhatsApp desktop applications is based on Chrome / 69. This vulnerability was found when Chrome / 78 was the stable version! A few versions before Chrome / 78 the ability to use JavaScript: Tricks was corrected. If WhatsApp had updated the Electron web application from 4.1.4, which was 7.xx at the time of detection (!) – this XSS would never have existed!

And worse – since Chromium 69 is relatively old, it’s possible to use a one-day RCE! There are more than 5 different one-day RCEs in Chromium 69 or higher. You just have to find a published one and use it over the previously found persistent XSS and BAM: Remote code execution REACHED! (…)

This works for WhatsApp Windows Desktop / Mac Desktop.

