Skip to main content

PSA: Update WhatsApp on Mac as old versions allow attackers access to files

If you use WhatsApp on Mac, you’ll want to make sure the desktop app has been updated to the current version, 0.4.316. This closes a very nasty security hole.

The vulnerability was discovered by security researcher Gal Weizman. It built on an earlier issue in which replies could fake the original text

A threat actor may use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group, as well as the text of someone else’s reply, essentially putting words in their mouth.

There’s no fix available for that, which is what got Weizman thinking. If you can mess with text, why not do the same with a link?

The actual exploit is pretty involved, but the bottom line is that it’s possible for an innocent-looking link in a WhatsApp message to invisibly redirect people to a malicious website and then run some Javascript code to execute code.

He was then able to get that malicious code to read files from either a Windows PC or a Mac.

These types of applications are written using Electron. Electron is a cool platform that lets you create “native” applications using standard web features. This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on: Chromium.

That means my XSS works since this is – after all – a variant of Chromium! […]

That’s right – Chrome/69 – the latest version of the WhatsApp desktop applications provided by WhatsApp is Chrome/69 based. This vulnerability was found when Chrome/78 was the stable version! A few versions before Chrome/78, the ability to use the javascript: trick was patched, and if WhatsApp would have updated their Electron web application from 4.1.4 to the latest which was 7.x.x at the time this vulnerability was found(!) – this XSS would never have existed!

And even worse – Since Chromium 69 is relatively old, exploiting a 1-day RCE is possible! There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution ACHIEVED! […]

This works for WhatsApp Windows Desktop/Mac Desktop.

Earlier today, we reported on a Philips Hue vulnerability which would not only allow an attacker to control your bulbs but potentially gain access to your whole network. The moral of the story: keep your apps and devices updated.

FTC: We use income earning auto affiliate links. More.

Hyper Drive GEN2
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear