WhatsApp Security Warning For iPhone Users As One-Click Attack Risk Confirmed

Do you use WhatsApp on your iPhone? Have you updated the app recently? Here's hoping you didn't answer yes and no.

On February 1, WhatsApp stopped working for users of iPhones running Apple iOS 8 or earlier. That may well have been a blessing in disguise as an alarming new security threat to iPhone using WhatsApp fans has been confirmed.

WhatsApp in the news again, for all the wrong reasons

WhatsApp and the iPhone have been bound together in the news headlines recently: the alleged hacking of Jeff Bezos' iPhone using a WhatsApp message being the culprit. However, when it comes to WhatsApp itself, the ubiquitous messenger app is no stranger to security problems.

From the "Reverse Engineering WhatsApp Encryption for Chat Manipulation and More," report last year, to the stupidly simple social-engineering hack story this, WhatsApp and security problems naturally grab our collective attention given the incredible reach of the messenger app.

What is this new 'one-click attack' risk for iPhone users?

A researcher working with PerimeterX, Gal Weizman, found there were multiple security vulnerabilities in WhatsApp with the potential to impact iPhone users. Unsurprisingly, when you learn that Weizman is a JavaScript expert, these vulnerabilities had JavaScript at their core.

The vulnerabilities, collectively referenced as CVE-2019-18426, are described as involving WhatsApp Desktop versions "prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10" and allow for "cross-site scripting and local file reading." If the local file reading bit scares the pants off you, and it should, maybe you should sit down before investigating the cross-site scripting risk. This leaves "users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations," according to the PerimeterX report.

The worse, I'm afraid, is still to come. Exploiting the vulnerability requires an attacker to send a maliciously crafted text message and for the victim to click it.

One-click and you're out.

While WhatsApp itself is said to have 1.5 billion active monthly users, the number of those who are using the app on an iPhone is not known. Because this vulnerability, as devastatingly simple and dangerous as it is, can only be exploited by those users with an older desktop app connected to their older iPhone app, the number of people at risk is reduced even further. However, the starting point is so large that we could still well be talking hundreds of thousands, if not millions.

Getting technical and diving into the WhatsApp Content Security Policy

PerimeterX researcher Weizman dug deep into the WhatsApp Content Security Policy (CSP) and it was here that he found the "gap" that enabled him to perform "bypasses and cross-site scripting" exploits on the desktop app itself. This also meant he was able to get read permissions from the local file system on the app. Injecting malicious code or links into text messages became relatively simple at this point by modifying the JavaScript code of the message before delivery, and totally invisible to the average WhatsApp user. For a malicious message to work, it must contain the text "javascript:" which will most likely be written off as some app weirdness by most non-technical users.

Importantly, while newer versions of Google Chrome have JavaScript modification protections built-in (the older version as implemented by the vulnerable WhatsApp desktop application didn't), Safari is, according to the researchers, "still wide-open to these vulnerabilities."

The WhatsApp response to these latest app security revelations

"We regularly work with leading security researchers to stay ahead of potential threats to our users," a WhatsApp spokesperson said, "in this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop."

The WhatsApp spokesperson also confirmed that the vulnerabilities were fixed promptly, and the patch has been applied to app downloads since the middle of December, 2019.

Mitigating the one-click WhatsApp exploit risk

The mitigation advice given to WhatsApp users who wanted to continue using the app on older iPhones was to update the operating system if possible. The mitigation advice now is to update the app itself and do so as a matter of some urgency.

What do information security experts have to say about the latest WhatsApp security scare?

"The fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern," Corin Imai, senior security advisor at DomainTools said, "for a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cybersecurity perspective, but potentially also from a fake news perspective."

Javvad Malik, a security awareness advocate at KnowBe4, said he was thankful that for now, at least, the issue only affects "WhatsApp Desktop prior to v0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10." That fact doesn't make it any the less significant a finding, Malik continued, "with phishing the most popular method for bad actors to compromise organizations, this attack method adds another string to their bow and can be used effectively to trick users into clicking on malicious links."

"Users should ensure they use the latest safe release of the software," Keith Geraghty, solutions architect at Edgescan said, "but while defenses on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users."