According to a blog post by PerimeterX, its cybersecurity researcher and JavaScript expert Gal Weizman found a find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app.
According to a blog post by PerimeterX, its cybersecurity researcher and JavaScript expert Gal Weizman found a find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Thankfully, for now, this is not a widespread issue, affecting only WhatsApp Desktop prior to v0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10.
But that does not make it any less of a significant finding. With phishing the most popular method for bad actors to compromise organisations, this attack method adds another string to their bow and can be used effectively to trick users into clicking on malicious links.
Users, particularly those in public-facing roles such as social media or support teams will get many messages across different channels from customers, prospects, and even bad guys. So, for them, being aware of the risks, and having regular security awareness and training to ensure they can identify and report any suspicious messages is vital.
From a technical perspective, companies can put in place controls to screen URL\’s and segregate high risk users in public roles from the rest of the network, so that if a malicious link is clicked on, any infection is isolated.
First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading.
Organisations worried of this potential entry vector should also consider blocking the desktop version of WhatsApp, and – if not required on company held smartphones – disabling the app with management systems such as MobileIron.
The fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern. WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200m user base, it has become a substitute of town-square talk. Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cybersecurity perspective, but potentially also from a fake news perspective.