Multiple loopholes and security vulnerabilities in WhatsApp could have allowed people to alter the text of someone’s message and inject malicious code in a user’s browser, cybersecurity researcher Gal Weizman revealed in a blog post on February 4. Weizman had reportedly informed Facebook about this last year and the company has since dealt with the issues in the application. The report was first covered by The Hacker News.

Key Findings

The research by Weizman revealed important loopholes and security flaws, mostly in WhatsApp web, the application’s browser version. Some of these include:

  • Altering the text of a message: By manipulating the metadata of the object containing a message, one could basically reply to messages that were never a part of the conversation. For instance, it would allow a user to quote a made-up message (using the reply feature on WhatsApp) that was never written.
  • Tampering with preview banners and links in messages: WhatsApp shows previews of links (with information regarding the link) that are sent as part of messages. A security flaw allowed one to tamper with the banner properties before the message is sent. Basically, by exploiting this vulnerability, it is possible to mislead users about the content of the link by showing the banner of a different link. For instance, hackers could send the link www.hacker.com, but the message would instead show a preview banner of www.facebook.com. Such a misleading preview could prompt the user to click on a malicious link in a message.
    • Moreover, it was also possible to tamper with the link itself. A security lapse allowed users to be redirected to any malicious page/website that the hacker wished them to go to. For instance, a person could click on a legitimate-looking link that would seem to have originated from a website like Facebook, but it would actually redirect the user to a malicious webpage. This could then open the possibility of further attacks.
  • Cross-site scripting (XSS): This is a type of attack in which “malicious scripts are injected into otherwise benign and trusted websites”. Weizman managed to execute cross-site scripting by using javascript URIs (which is a javascript library for working with URLs). Basically, by exploiting this vulnerability, a person could execute certain actions (such as making an alert box show up) on the browser of other users. It was possible to bypass WhatsApp’s Content Security Policy (CSP) rules to carry out more harmful XSS attacks. This meant that hackers could “run any external code with no size limits and no problems” on the user’s app and look even more unsuspicious.
    • XSS on desktop apps: The cross-site scripting that worked for WhatsApp web, was also working on the desktop versions of the app since the native desktop app was built using a platform that was also used in their web application.
    • Cross-platform read of local files: By using an API, Weizman was able to “read files from the local OS like the content of C:\Windows\System32\drivers\etc\hosts file”. This means that it was possible to remotely access files from a victim’s device.
    • Potential for remote code execution (RCE): Using XSS, Weizman was also able to access enough data about a user agent to assess the potential for an RCE. “Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located”, according to SearchWindowsServer. “I did not take the time to actually exploit a public RCE, and therefore didn’t get the chance to prove the existence of such a vulnerability, but the theoretical concept is as follows: if you run an old version of a vulnerable app, one can exploit that vulnerability and do bad things to you,” Weizman said in his blog post.

This is not the first time that an external researcher has revealed security issues with a popular application. Last month, research released by cybersecurity research firm Check Point Research (CPR) had also exposed security flaws in the popular video-sharing mobile app TikTok.