CVE-2019-18426: WhatsApp bug allowed remote access to users computers with just a text message

Recently, developers of famous messaging app acknowledged and patched a major vulnerability that gave malicious users the ability to access files on a victim’s computer.

A target user may fall prey to this attack simply clicking a disguised link preview sent via the messaging app: a really easy mistake for users to make. 


Which version was affected?

The vulnerability did not affected every WhatsApp user: only the iOS version of the messaging app prior to  v2.20.10, paired to either a PC or MacOS WhatsApp desktop app prior to v0.3.9309 are vulnerable.

According to official bug report [1]:

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.
Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.


My2C

Just some weeks ago, the famous report about Jeff Bezos iPhone hacking [2] claims that the smartphone may have been hacked following the receipt of a malicious WhatsApp message.
Is there a connection?


References

  1. Facebook bug report
  2. TLDR #1: Jeff Bezos’ iPhone hack

Related posts

  1. Some thoughts about the Signal Messaging Protocol
  2. Load Value Injection (CVE-2020-0551): a new Side-Channel attack affects Intel’s CPUs
  3. Ghostcat (CVE-2020-1938): ongoing scans for unpatched Apache Tomcat servers. Patch now!
  4. Ghostcat (CVE-2020-1938), a brand-new file inclusion vulnerability in Apache Tomcat
  5. SweynTooth: Bluetooth vulnerabilities expose many BLE devices to attacks