The cybersecurity researcher discovered several security vulnerabilities in WhatsApp, revealing that one of the most used messaging applications is not as secure as previously thought. PerimeterX's Gal Weizman used his JavaScript expertise to find multiple vulnerabilities in the popular messaging app that could leave users at risk of attack by allowing both text content and links in previews. of the website that will be spoofed to display fake content and modified links that point to malware destinations. Vulnerabilities found in the WhatsApp desktop app can be used to help phishing campaigns, spread malware, and even ransomware to endanger millions of users, as the email service currently has more than 1.5 billion users. assets per month
Edit messages
Finding a loophole in the content security policy (CSP) used by WhatsApp, Weizman was able to enable workarounds as well as cross-site scripting (XSS) in the messaging service's desktop app. This allowed it to gain local file system read permissions on Mac and Windows desktop applications. By exploiting these flaws, hackers could target unsuspecting users with harmful code or links injected into their messages. To make matters worse, these message notifications would be completely invisible to the uninformed eye. These types of attacks are possible simply by modifying the JavaScript of a single message before it is delivered to its recipient. Thanks to WhatsApp's desktop platform, Weizman was able to find the code where the messages are formed, modify it, and then let the app continue sending these messages as usual. This bypassed the filters and sent the modified message through the app as usual, where it looked relatively normal in the UI. Weizman even found that website previews, displayed when users share web links, can also be altered before they are displayed. To avoid falling victim to this type of attack, WhatsApp users should look for text that might look more like code than legitimate text. Furthermore, a malicious message can only work if it contains the text "javascript", so users should also search for it if the code is visible. Finally, users should exercise caution and avoid opening links sent from unknown accounts. Interested users interested in learning more about Weizman's discovery can check out his blog post on the Perimeter X website.