Facebook has issued a security advisory for a flaw in WhatsApp Desktop that could allow an attacker to use cross-site scripting attacks and read the files on MacOS or Windows PCs by using a specially crafted text message. The attacker could retrieve the contents of files on the computer on the other end of a WhatsApp text message and potentially do other illicit things.
The flaw, discovered by researcher Gal Weizman at PerimeterX, is a result of a weakness in how WhatsApp’s desktop was implemented using the Electron software framework, which has had significant security issues of its own in the past. Electron allows developers to create cross-platform applications based on Web and browser technologies but is only as secure as the components developers deploy with their Electron apps.
All of this was possible because the vulnerable versions of WhatsApp Desktop had been developed using an outdated, known vulnerable version of Google’s Chrome browser engine—Chrome 69. More recent versions of the Chromium engine would catch the malicious code.
According to Facebook, the vulnerability affects WhatsApp Desktop versions 0.3.9309 and earlier, for users who have paired the desktop app with WhatsApp for iPhone versions prior to 2.20.10. Facebook has shipped new versions of WhatsApp Desktop that use updated browser components.