Experts Reaction On Researcher Finds Vulnerability In WhatsApp Desktop Platform

According to a blog post by PerimeterX, its cybersecurity researcher and JavaScript expert Gal Weizman found a find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app.

Experts Comments

February 06, 2020
Corin Imai
Senior Security Advisor
DomainTools
The fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern. WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200m user base, it has become a substitute of town-square talk. Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability.....Read More
The fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern. WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200m user base, it has become a substitute of town-square talk. Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cybersecurity perspective, but potentially also from a fake news perspective.  Read Less
February 06, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Thankfully, for now, this is not a widespread issue, affecting only WhatsApp Desktop prior to v0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10. But that does not make it any less of a significant finding. With phishing the most popular method for bad actors to compromise organisations, this attack method adds another string to their bow and can be used effectively to trick users into clicking on malicious links. Users, particularly those in public-facing roles such.....Read More
Thankfully, for now, this is not a widespread issue, affecting only WhatsApp Desktop prior to v0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10. But that does not make it any less of a significant finding. With phishing the most popular method for bad actors to compromise organisations, this attack method adds another string to their bow and can be used effectively to trick users into clicking on malicious links. Users, particularly those in public-facing roles such as social media or support teams will get many messages across different channels from customers, prospects, and even bad guys. So, for them, being aware of the risks, and having regular security awareness and training to ensure they can identify and report any suspicious messages is vital. From a technical perspective, companies can put in place controls to screen URL's and segregate high risk users in public roles from the rest of the network, so that if a malicious link is clicked on, any infection is isolated.  Read Less
February 06, 2020
Keith Geraghty
Solutions Architect
Edgescan
First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be.....Read More
First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading. Organisations worried of this potential entry vector should also consider blocking the desktop version of WhatsApp, and - if not required on company held smartphones – disabling the app with management systems such as MobileIron.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.