Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a user’s local file system, on both macOS and Windows platforms.
“A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading,” Facebook’s security advisory explains. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
The software was running an older release of Google’s Chromium web engine all the way back to version 69 with known flaws that made it relatively easy to slip in rogue code. It wouldn’t have been difficult to alter messages, look for sensitive documents or install additional malware.
Facebook built WhatsApp on an Electron framework that makes it easier to deliver multi-platform apps based on web technology. As Ars Technica explained, though, Electron isn’t secure if an app is based on an outdated web engine.
The flaws affect WhatsApp’s desktop software from version 0.3.9309 and earlier, as well as people who paired the app with WhatsApp’s iOS editions before 2.20.10. You’re probably safe if you downloaded the app recently or have been vigilant about staying current. This is mainly a reminder that web-based apps aren’t automatically safe, and that secure messaging is only truly secure if you’re on top of upgrades.
