KEY POINTS

  • A security researcher found serious flaws in the WhatsApp client
  • The flaws allow hackers to access files stored in any device
  • The flaws might also allow hackers to gain remote control of the device

Back in 2017, researchers discovered a flaw that allowed attackers to change messages in the WhatsApp client. The flaw, the details of which were revealed in a report published in 2018, basically allowed attackers to “alter the text of someone else's reply, essentially putting words in their mouth.”

A year later, Perimeter X security researcher Gal Weizman looked into that flaw and discovered several problems related to it, some of them more serious than the other, Apple Insider reported. The researcher gave a detailed report about his findings in a lengthy article; here's a quick look at what he found.

The flaw allows hackers to alter the links in rich preview banners

See those banners that often include the logo of a particular website (Facebook, for example), coupled with a short description followed by a link to the website itself? Weizman found that by exploiting the previous flaw, attackers can change the link so that it would look legitimate, but actually lead to a different website.

The researcher gave several examples, but one in particular showed that while the banner looked like clicking on it would lead to Facebook.com, it will actually lead to “https://example.com.”

The flaw allows hackers to use persistent-XSS

Ever encountered an alert while browsing the web, such as those that saying a page is not loading, or that some information need to be entered before proceeding to the next page? Those alert boxes are call persistent-XSS. Weizman found that hackers can create them and use them to do more serious things, the following danger below in particular:

The flaw allows hackers to read files in any device with WhatsApp

The flaw, which works with Chromium 69, can be exploited to gain access to the files in any device. It can be used to acquire information about the victim's computer (such as operating system version), and read local files stored in the computer. Weizman also said the flaws might even allow hackers to execute code remotely, giving them access and control over the victim's computer.

These findings could help shed light on how Amazon CEO Jeff Bezos's iPhone was hacked. The retail giant chief's handset was reportedly hacked after receiving a message via WhatsApp.

Weizman's detailed report is available here.

Many people use encrypted messaging services like WhatsApp on their phones
Many people use encrypted messaging services like WhatsApp on their phones AFP / ARUN SANKAR