wordpress blog stats
Connect with us

Hi, what are you looking for?

Cybersecurity researcher exposed security flaws in WhatsApp: Report

WhatsApp Security Flaw
WhatsApp Security Flaw

Multiple loopholes and security vulnerabilities in WhatsApp could have allowed people to alter the text of someone’s message and inject malicious code in a user’s browser, cybersecurity researcher Gal Weizman revealed in a blog post on February 4. Weizman had reportedly informed Facebook about this last year and the company has since dealt with the issues in the application. The report was first covered by The Hacker News.

Key Findings

The research by Weizman revealed important loopholes and security flaws, mostly in WhatsApp web, the application’s browser version. Some of these include:

  • Altering the text of a message: By manipulating the metadata of the object containing a message, one could basically reply to messages that were never a part of the conversation. For instance, it would allow a user to quote a made-up message (using the reply feature on WhatsApp) that was never written.
  • Tampering with preview banners and links in messages: WhatsApp shows previews of links (with information regarding the link) that are sent as part of messages. A security flaw allowed one to tamper with the banner properties before the message is sent. Basically, by exploiting this vulnerability, it is possible to mislead users about the content of the link by showing the banner of a different link. For instance, hackers could send the link www.hacker.com, but the message would instead show a preview banner of www.facebook.com. Such a misleading preview could prompt the user to click on a malicious link in a message.
    • Moreover, it was also possible to tamper with the link itself. A security lapse allowed users to be redirected to any malicious page/website that the hacker wished them to go to. For instance, a person could click on a legitimate-looking link that would seem to have originated from a website like Facebook, but it would actually redirect the user to a malicious webpage. This could then open the possibility of further attacks.
  • Cross-site scripting (XSS): This is a type of attack in which “malicious scripts are injected into otherwise benign and trusted websites”. Weizman managed to execute cross-site scripting by using javascript URIs (which is a javascript library for working with URLs). Basically, by exploiting this vulnerability, a person could execute certain actions (such as making an alert box show up) on the browser of other users. It was possible to bypass WhatsApp’s Content Security Policy (CSP) rules to carry out more harmful XSS attacks. This meant that hackers could “run any external code with no size limits and no problems” on the user’s app and look even more unsuspicious.
    • XSS on desktop apps: The cross-site scripting that worked for WhatsApp web, was also working on the desktop versions of the app since the native desktop app was built using a platform that was also used in their web application.
    • Cross-platform read of local files: By using an API, Weizman was able to “read files from the local OS like the content of C:WindowsSystem32driversetchosts file”. This means that it was possible to remotely access files from a victim’s device.
    • Potential for remote code execution (RCE): Using XSS, Weizman was also able to access enough data about a user agent to assess the potential for an RCE. “Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located”, according to SearchWindowsServer. “I did not take the time to actually exploit a public RCE, and therefore didn’t get the chance to prove the existence of such a vulnerability, but the theoretical concept is as follows: if you run an old version of a vulnerable app, one can exploit that vulnerability and do bad things to you,” Weizman said in his blog post.

This is not the first time that an external researcher has revealed security issues with a popular application. Last month, research released by cybersecurity research firm Check Point Research (CPR) had also exposed security flaws in the popular video-sharing mobile app TikTok.

You May Also Like


WhatsApp is making another attempt to curb the backlash it faced over changes to its privacy policy and terms of service: over the coming...


The Ministry of Electronics & Information Technology Technology sent a letter to WhatsApp last month, interrogating changes the Facebook-owned messaging app had made to...


By Luca Belli and Nicolo Zingales Recently, WhatsApp pushed an in-app notification requesting users to accept its new privacy policy by February 8, 2021....


WhatsApp has removed the Request Payment feature for its UPI-based payment service in India. Users can no longer request peer-to-peer payments as was possible...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ