A high-severity vulnerability could allow cybercriminals to push malware or remotely execute code, using seemingly innocuous messages.
Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.
The desktop platform has more than 1.5 billion monthly active users. The high-severity bug (rated 8.2 on the CVSS severity scale) could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.
“A vulnerability [CVE-2019-18426] in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting (XSS) and local file reading,” according to the National Vulnerability Database. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a blog post, on Tuesday.
Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” according to Safruti, causing unsuspecting users to click on malicious links that appear to them like messages from a friend.
“These message modifications would be completely invisible to the untrained eye,” he wrote. “Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.”
However, the end game is remote code-execution — a potential outcome in some browsers, according to the researchers.
For More Details :
https://threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/
