Facebook has just patched a vulnerability in WhatsApp that could allow a hacker to take control of a target’s computer via a single text message.
Security research Gal Weizman, with PerimiterX, discovered the flaw and worked with Facebook to fix it. The flaw does not impact all users, only those using the iOS version paired with a desktop version, either macOS or Windows.
According to Facebook’s security advisory, “a vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
As Weizman points out, much of this is because Facebook has not properly updated the underlying framework on which the desktop version of WhatsApp is built on. That framework is Electron, a platform that allows developers to use web technologies to create “native” apps. Electron, in turn, is based on Chromium, the open-source foundation of Google Chrome. In an era where cloud computing and web applications have become dominant, Electron gives companies the ability to maximize their developer talent by focusing on web languages, frameworks and technologies.
Unfortunately, in this instance, WhatsApp was based on Electron 4.1.4, instead of the current 7.x.x. In version 4.1.4, the included version of Chromium was Chrome/69, instead of the current Chrome/78. If Facebook had updated to the latest version of Electron, and therefore the underlying Chromium, this bug would not have been possible, as it had been patched in Chromium and Electron some time ago.
“It is 2020, no product should be allowing a full read from the file system and potentially a RCE from a single message,” Weizman writes.
He’s absolutely right. At a time when hackers are developing more powerful tools and methods to compromise systems, there is no excuse for development this lazy and irresponsible.