Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

A WhatsApp desktop security flaw let attackers remotely access files

By Koh Wanzi - on 6 Feb 2020, 11:00am

A WhatsApp desktop security flaw let attackers remotely access files

You should probably update your WhatsApp desktop client to the latest version if you haven't already. According to PerimeterX researcher Gal Weizman, Facebook has patched a security vulnerability in the desktop versions of WhatsApp that allowed attackers to insert JavaScript code into messages and remotely access files. This applies to both the Mac and Windows version of the app, and it could potentially let malicious actors alter the metadata of messages, search for sensitive documents on local file systems, or even install malware.

The versions of WhatsApp Desktop with the flaw used an outdated version of Google's Chrome browser engine, Chrome 69, which had known vulnerabilities. Newer versions of the Chromium engine would have caught the malicious code, and Facebook says WhatsApp Desktop versions 0.3.9309 and earlier are affected, for people who have paired it with WhatsApp's iOS app prior to version 2.20.10.

Attackers could see the contents of files received by a certain desktop. (Image Source: Gal Weizman)

It's a result of how the desktop client is implemented using the Electron software framework, which has had its own share of security flaws in the past. Electron lets developers create cross-platform applications based on Web and browser technologies, but it is only as secure as the components developers deploy in their Electron apps. 

Facebook has since rolled out new versions of WhatsApp Desktop that use updated browser components.