Blog

A high-severity JavaScript vulnerability has recently been identified in the WhatsApp desktop platform that could potentially open the door for cybercriminals to spread ransomware campaigns, phishing, or malware through notification messages that appear completely normal to unsuspecting users. Further investigation reveals that this could be parlayed into remote code execution.

With more than 1.5 billion monthly active users of the desktop platform, the scale of the impact could be high. It could affect iPhone users as well if they don’t update their desktop and mobile WhatsApp application and if they use old versions of Google Chrome.

National Security Database stated that if the WhatsApp Desktop versions older than 0.3.9309 is paired with WhatsApp for iPhone versions older than 2.20.10, the vulnerability allows cross-site scripting (XSS) and local file reading. The vulnerability can be exploited if the clicks a link preview from a specially crafted text message.

To be more specific, users are left vulnerable to attacks by flaws that allow both the links and text content in website previews to be tampered with to display false content and modified links that point to malicious websites or initiate downloads.

Harmful code or links can be injected into seemingly innocuous exchanges that could cause unsuspecting users to click on malicious links that appear to them like messages from a friend. 

To the untrained eye, these message modifications would barely be visible. The bad actor would only require the modification of the JavaScript code of a single message before it is delivered to the recipient. However, the end game is remote code-execution – a potential outcome in some browsers, according to the researchers. Researchers also found out that links to malicious web pages or downloads can be made to look like authentic domain links as if they came from Facebook or another legitimate website.