Skip to main content

WhatsApp Bug Allows Malicious Code-Injection, One-Click RCE



A high-severity vulnerability could allow cybercriminals to push malware or remotely execute code, using seemingly innocuous messages.
Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.
The desktop platform has more than 1.5 billion monthly active users. The high-severity bug (rated 8.2 on the CVSS severity scale) could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.
“A vulnerability [CVE-2019-18426] in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting (XSS) and local file reading,” according to the National Vulnerability Database. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a blog post, on Tuesday.
Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” according to Safruti, causing unsuspecting users to click on malicious links that appear to them like messages from a friend.
“These message modifications would be completely invisible to the untrained eye,” he wrote. “Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.”
However, the end game is remote code-execution — a potential outcome in some browsers, according to the researchers.
PerimenterX cybersecurity researcher and JavaScript expert Gal Weizman first discovered vulnerabilities leading to this latest bug in WhatsApp in 2017. He broke down the journey to discovering the latest flaw and its potential for leading to RCE in a separate post. He also said he has been working with Facebook, which owns and oversees WhatsApp, to fix the issues.
In his breakdown, Weizman showed how he  started by tampering with the JavaScript for the rich preview banners of messages—the ones that include extra information regarding a link that is in the body of the message.
rich preview link
An example of a rich preview link in a WhatsApp message.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface. Weizman also found that website previews, displayed when users share web links, can also be tampered with before being shown.
In this way, it’s possible to inject links that redirect a user to malicious web pages or that initiate malware downloads. Further, the researcher discovered that he could also make those links look like authentic domain links — i.e., as if they really come from Facebook or other legitimate website.
“This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way: https://USERNAME:PASSWORD@DOMAIN.COM. One can abuse this, as I just did, and replace the username and password with anything else: https://DOMAIN-A.COM@DOMAIN-B.com and it’ll still work. Firefox is the only browser that warns users, by default, In case this method is used without providing a username and password.”
It should be noted that newer versions of Google Chrome have protections against these kinds of JavaScript modifications, according to the research, while “other browsers such as Safari are still wide open to these vulnerabilities.”
After successfully exploiting CVE-2019-18426 and performing this code injection to achieve an open redirect, the researcher took it further, to spin the hack into a persistent XSS attack through trial and error. To do so he employed JavaScript URIs (a trick that only works on non-Chromium based browsers, it should be noted):
Weizman continued probing the vulnerability to eventually bypass WhatsApp’s Content Security Policy (CSP) rules to enhance the power of the persistent XSS, which he managed to do by using Google’s CSP Evaluator. There, he discovered that the CSP lacked the object-src directive.
“Since object-src directive is missing [in the CSP], it means I can use object to load an iframe(ish) to any origin of my choice,” he wrote in the post. “That way I’ll be able to run any external code with no size limits and no problems.”
Weizman then showed how he executed malicious code on the web.whatsapp.com domain by using the XSS exploit to load the aforementioned iframe. That opens up the potential for RCE, he said.
“I then use the iframe to post a message to the top window with the content of the external code,” he explained. “The top window, where the XSS was executed, receives the message from the iframe, parses the external payload provided by it and executes it in its context (web.whatsapp.com). Win! External payload was successfully fetched and executed in the context of WhatsApp!”
The entire attack can be executed with one click from the user on the altered rich preview message.
Weizman stressed the importance of an app’s CSP rules, which could have prevented the vulnerability from being exploited in the first place.
“If the CSP rules were well configured, the power gained by this XSS would have been much smaller,” he wrote. “Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more!”
WhatsApp’s desktop platform certainly isn’t the only version of the popular messaging service to contain vulnerabilities. Last year alone, researchers found a number of flaws in the more widely used mobile app version of WhatsApp that have allowed for remote code execution, the delivery of spyware, and exposure of personal media files, among others.

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...