Using WhatsApp on PC or Mac? Update right now to avoid this nasty flaw

News
By Paul Wagenseil
published

Outdated Chromium leads to old-school exploits

WhatsApp on both a phone and a desktop.
(Image credit: Mykolastock/Shutterstock)

If you use the WhatsApp desktop application on a Mac or a Windows PC, patch it now. The previous version is full of security holes. If you're using WhatsApp on iOS, you might as well update that, too.

"A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading," Facebook dryly explains in a brief security advisory posted in late January. "Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message."

The affected versions are "WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10," Facebook adds.

Except it's not that simple. In a blog post yesterday (Feb. 4) PerimeterX researcher Gal Weizman found at least five different ways to exploit the Mac and Windows WhatsApp program. You should update your WhatsApp desktop client, whether or not you use an iPhone.

Retro isn't always right

The problems stemmed partly from the fact that until this latest update, WhatsApp kept using an old version of Chromium (version 69) as the base of the application. However, Chromium had long since moved on (we're at version 80 today) and fixed numerous known flaws.

A lot of modern desktop applications, including those for Discord, Skype, Slack, Spotify and WhatsApp — and even a Windows 95 emulator — are built on top of Chromium browser technology. One advantage of this technique is that Macs, PCs and Linux boxes can all use the same software.

Another Israeli firm, Check Point, had previously found that you could pick apart drafts of WhatsApp messages on the desktop before they were sent, and could also alter messages from other people in chat rooms, as long as the messages passed through your computer first.

Weizman took that research and ran with it, getting the WhatsApp desktop applications (and in some cases, the browser client on the WhatsApp website) to do all sorts of naughty things. These included redirecting WhatsApp users to dangerous websites, sending malicious files to a computer and even infecting a computer with malware. (Some of the best antivirus software might help stymie the last.)

Weizman's blog post is well worth reading. Although rather technical, it's fun to read — he says "Wow!" "YES!" and "Cool!" a few times — and surprisingly easy to comprehend. If you want to get a sense of how browser-based desktop applications work, it's a great place to start.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.