Login

Register

Login

Register

Update now – WhatsApp flaw gave attackers access to local files – Naked Security


Does WhatsApp have a lot of vulnerabilities or are there simply a lot of people looking for them?

Ask PerimeterX researcher Gal Weizman, who last year set about poking the world’s most popular messaging platform to see whether he could turn up any new weaknesses.

Sure enough, this week we learned that he uncovered a clutch of vulnerabilities that led him to a tasty cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone.

Patched this week as CVE-2019-18426, it’s the sort of weakness iPhone WhatsApp desktop users will be glad to see the back of.

The immediate problem was caused by a gap in WhatsApp’s Content Security Policy (CSP), a security layer used to protect against common types of attack, including XSS.

Using modified JavaScript in a specially crafted message, an attacker could exploit this to feed victims phishing and malware links in weblink previews in ways that would be invisible to the victim.

According to Weizman, this is probably remotely exploitable although the users would still need to click on the link for an attack to succeed.

However, it could also be used to gain read permission to the local file system, that is the ability to access and open files and, potentially, for remote code execution (RCE).

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW