From the Blog

WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).

exc-5e3d5126d4ad48682c3871b0

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).

Gal Weizman originally found a flaw that enabled the altering of messages when being directly replied to. This was not very powerful but did get the researcher wondering what else could potentially be edited when sending a message, which brought the researcher into finding an Open-Redirect flaw in messages which involved a preview banner.

When sending a link to an individual on WhatsApp, a simple banner with basic information on the link sent can appear. Gal Weizman was able to take advantage of this by adding a simple ‘@’ symbol.

“The purpose of “@” in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected]. One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.”

From here the researcher was able to find a way where Persistent-XSS was integrated. The approach he used was by trial and error. He first tried an XSS attack by attempting the following which ended up being a dud:

e.__x_body = e.__x_matchedText = “javascript:alert(document.domain)”;

The researcher then attempted a different approach where Gal Weizman treated the javascript to include a URL with the assumption that the WhatsApp attached URL banner has to include a legitimate HTTPS URI:

e.__x_body = e.__x_matchedText = 'javascript:"https://example.com";alert(document.domain)';

“AND IT WORKED!”

From here the researcher was looking for a way to make this XSS attack persistent. One way this was possible was bypassing WhatsApp’s Content Security Policy rules. The researcher was able to use the ‘fetch()’ API which made it possible to access the local systems files.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Scroll to Top

Covid-19 Update

We Remain Open

At this present time we have taken all the relevant measures to ensure our team are safe. Until further notice all our “onsite” engagements will either be postponed or performed remotely via VPN or one of our appliances.

Please bear with us if we need to reschedule some of your work. As a collective, we are also volunteering our time to support the elderly and assist essential services.

Thank you for your patience and understanding.

Peter
CEO & Founder