WhatsApp Web flaw lets cyber criminals access their victims' files remotely

A security flaw where cybercriminals can send malicious code hidden as bogus messages was discovered on WhatsApp Web.
AFP

A security flaw has been discovered on WhatsApp Web, where cyber criminals can send bogus messages that would give them access to files on a victim's computer.

Security researcher Gal Weizman, who discovered the flaw, explained that the malicious link could be hidden behind a deceptive message, made to look like a link to an ordinary website.

Once users click on the link, it would launch a script that allows the attacker to retrieve files from the compromised computer and potentially open a backdoor to create more trouble.

He noted that the exploit was due to WhatsApp desktop being developed by Facebook using the Electron software framework.

Electron is used by developers to create cross-platform apps based on browser technologies, and in this case it used an outdated version of the Chrome browser's Chromium engine, Chrome 69.

The more recent versions of the Chromium engine - Chrome 78 and up - are able to catch the malicious code.

ArsTechnica reported that the vulnerability affects WhatsApp Desktop versions 0.3.9309 and earlier, for iPhone users who paired the desktop app with the iOS version of WhatsApp that's older than 2.20.10.

Facebook has since created a patch to fix this issue.

Users are recommended to update the WhatsApp app on their computer and the smartphone they use to connect to WhatsApp Web.