WhatsApp Web flaw allows hackers to take control of your desktop

Although rarely exploited, vulnerability testing reports on WhatsApp have become prevalent in the cybersecurity community. The most recent of these reports refers to multiple failures that could alter some aspects in the user interface.

Using his knowledge in JavaScript, researcher Gal Weizman detected multiple vulnerabilities in the messaging service that could be exploited in real-world scenarios, exposing users to serious risks, such as sending malicious links or remote injection of code.

It should be mentioned that the vulnerability testing report mentions that all the flaws discovered by Weizman are found in WhatsApp Web, the desktop version of the messaging service. Its exploitation would allow sophisticated phishing campaigns to be deployed, spread malware, and even some variants of ransomware, putting millions of users at risk.

One of the most serious flaws allows you to evade platform security measures to run cross-site scripts (XSS). By exploiting this vulnerability, malicious actors may obtain read permission on the target device’s local file system to add links or malicious code to a message sent by WhatsApp Web. Running these attacks is possible by simply modifying the JavaScript code of a message before it is sent. 

Soon after, a WhatsApp spokesperson mentioned that the company, owned by Facebook, has already received the report, so the bugs were fixed shortly after: “The issue we addressed in the most recent update could have affected thousands of users of WhatsApp Web platform; we appreciate the security investigator’s report.”

While this flaw has already been fixed, similar new threats could appear shortly, so vulnerability testing specialists at the International Institute of Cyber Security (IICS) recommend that you be careful when interacting with a message received via WhatsApp Web containing the text “javascript”, as it is a clear indicator of potentially malicious activity, especially if it is sent from an unknown account.