Flaws in WhatsApp could expose users to malicious links

News by Rene Millman

Multiple WhatsApp vulnerabilities could aid phishing campaigns and ransomware

Security researchers have discovered multiple flaws in WhatsApp that could leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations. 

According to a blog post by PerimeterX, its cybersecurity researcher and JavaScript expert Gal Weizman found a find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app.

This also allowed him to gain read permissions from the local file system on both Mac and Windows desktop apps. The company said that unsuspecting users could be subject to harmful code or links injected into their seemingly innocuous exchanges.

“These message modifications would be completely invisible to the untrained eye. Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient,” said Ido Safruti, founder and CTO of PerimeterX.

Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. The code bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface.

The researcher also found that website previews, displayed when users share web links, can also be tampered with before being shown.

Safruti said that older versions of Google Chrome’s Chromium framework, as used by the vulnerable versions of the WhatsApp desktop application, are susceptible to these code injections, although newer versions of Google Chrome have protections against such JavaScript modifications. He added that other browsers such as Safari are still wide open to these vulnerabilities.

“As businesses increasingly rely on social messaging apps such as WhatsApp for customer engagement, they must remain vigilant about these risks. As we learned from this research, malicious third parties can modify content and redirect users, putting the brand experience and user data at risk,” said Safruti.

Corin Imai, senior security advisor at DomainTools, told SC Media UK that the fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern.

WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200 million user base, it has become a substitute of town-square talk.

“Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cyber-security perspective, but potentially also from a fake news perspective,” she said.

In the UK some companies use WhatsApp as a backup communications network in the event that their internal server network were to be compromised by being heavily infiltrated by an intruder. 

Keith Geraghty, solutions architect at edgescan, told SC Media UK that users should ensure they use the latest safe release of the software. “But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews