Experts Reaction On Researcher Finds Vulnerability In WhatsApp Desktop Platform

By   ISBuzz Team
Writer , Information Security Buzz | Feb 06, 2020 04:15 am PST

According to a blog post by PerimeterX, its cybersecurity researcher and JavaScript expert Gal Weizman found a find a gap in the Content Security Policy (CSP) used by WhatsApp, enabling bypasses and cross site scripting (XSS) on the desktop app.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Leader
February 6, 2020 12:33 pm

Thankfully, for now, this is not a widespread issue, affecting only WhatsApp Desktop prior to v0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10.

But that does not make it any less of a significant finding. With phishing the most popular method for bad actors to compromise organisations, this attack method adds another string to their bow and can be used effectively to trick users into clicking on malicious links.

Users, particularly those in public-facing roles such as social media or support teams will get many messages across different channels from customers, prospects, and even bad guys. So, for them, being aware of the risks, and having regular security awareness and training to ensure they can identify and report any suspicious messages is vital.

From a technical perspective, companies can put in place controls to screen URL\’s and segregate high risk users in public roles from the rest of the network, so that if a malicious link is clicked on, any infection is isolated.

Last edited 3 years ago by Javvad Malik
Keith Geraghty
Keith Geraghty , Solutions Architect
InfoSec Expert
February 6, 2020 12:19 pm

First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading.

Organisations worried of this potential entry vector should also consider blocking the desktop version of WhatsApp, and – if not required on company held smartphones – disabling the app with management systems such as MobileIron.

Last edited 3 years ago by Keith Geraghty
Corin Imai
Corin Imai , Senior Security Advisor
InfoSec Expert
February 6, 2020 12:17 pm

The fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern. WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200m user base, it has become a substitute of town-square talk. Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cybersecurity perspective, but potentially also from a fake news perspective.

Last edited 3 years ago by Corin Imai

Recent Posts

Would love your thoughts, please comment.x