CVE-2019-18426: Whatsapp vulnerability let hackers to read local file system

Facebook has resolved a critical vulnerability in WhatsApp (CVE-2019-18426) that could be used by hackers to read user files for macOS and Windows operating systems.

According to a security bulletin issued by Facebook, “A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”

Weizman discovered a vulnerability in WhatsApp’s Content Security Policy, allowing hackers to conduct cross-site scripting attacks. It was also found that hackers could also use this vulnerability to gain read permissions for WhatsApp application files on Windows and macOS.

Experts write:

“If you run an old version of a vulnerable app, one can exploit that vulnerability and do bad things to you. I did however demonstrated how I use fetch() API, for example, to read files from the local OS like the content of C:\Windows\System32\drivers\etc\hosts file in this case.”

The vulnerability could allow hackers to inject malicious code and links into messages that are completely transparent to victims.

Source: SecurityAffairs