WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).

exc-5e3d5126d4ad48682c3871b0

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).

Gal Weizman originally found a flaw that enabled the altering of messages when being directly replied to. This was not very powerful but did get the researcher wondering what else could potentially be edited when sending a message, which brought the researcher into finding an Open-Redirect flaw in messages which involved a preview banner.

When sending a link to an individual on WhatsApp, a simple banner with basic information on the link sent can appear. Gal Weizman was able to take advantage of this by adding a simple ‘@’ symbol.

“The purpose of “@” in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected]. One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.”

From here the researcher was able to find a way where Persistent-XSS was integrated. The approach he used was by trial and error. He first tried an XSS attack by attempting the following which ended up being a dud:

e.__x_body = e.__x_matchedText = “javascript:alert(document.domain)”;

The researcher then attempted a different approach where Gal Weizman treated the javascript to include a URL with the assumption that the WhatsApp attached URL banner has to include a legitimate HTTPS URI:

e.__x_body = e.__x_matchedText = 'javascript:"https://example.com";alert(document.domain)';

“AND IT WORKED!”

From here the researcher was looking for a way to make this XSS attack persistent. One way this was possible was bypassing WhatsApp’s Content Security Policy rules. The researcher was able to use the ‘fetch()’ API which made it possible to access the local systems files.

  • Latest Articles
Author Details
Penetration Tester at Hedgehog Security

Michael is an OSCP qualified Penetration Tester based in our Gibraltar office. Outside of work Michael is a keen power lifter and photographer.

  • Cisco’s recent update fixes high-severity flaws
  • Ukrainian Malware Spreading Exposed on Dark Web

    Malware is known as ‘Blackout’ was found in Ukraine in 2015 affecting power plants and in turn causing blackouts. This specific malware target SSH keys to gain access to the victim’s machine unnoticed.

  • Intel Vulnerability Enables Multiple Issues

    Intel is warning users of a high severity flaw found within their firmware of it’s ‘Converged Security and Management Engine’ (CSME) which is used to power Intel’s ‘Active Management System’ hardware for the purpose of remote out-of-band management to consumers. This flaw could enable an attacker to conduct Privilege Escalation, Information Disclosure and Denial of Service.

  • Dell SupportAssist-ing Hackers

    A recent vulnerability found in Dell’s SupportaAssist software found that if exploited correctly can lead to code execution for unprivileged users. This is known as an uncontrolled search path vulnerability (CVE-2020-5316).

  • Android Bluetooth Critical RCE Flaw

    A recent vulnerability was found by researchers from a German security firm. Fixes are available via the Android February 2020 Security Bulletin. The bug is identified as CVE-2020-002; when exploited can result in remote-code-execution without any user interaction with elevated privileges.

  • WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

    A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).

  • Google Exposed Personal Photos

    It has recently been reported that not long ago, last Thanksgiving, Google had a bug which caused personal photos to be shared to complete strangers. ‘The Chocolate Factory’ made note of this issue and began notifying users that there is a bug in Google Photos data-archiving tool, Takeout.

  • Handout the CacheOut

    A recent finding of a microarchitectural Data Sampling (MDS) vulnerability within Intel’s CPU’s found by researchers have now released a Proof-of-Concept (PoC) code. This was not the only recent vulnerability found; however, it is the most severe with a Medium risk vulnerability.

  • Juice Jacking? The New but Old Revolution of Hacking Attacks!

    Juice Jacking is an attack-type that involves plugging your phone into public sockets for “charging purposes”. The truth behind these sockets is the installation of malware on your phones and other electronic devices of unsuspecting users.

  • Mistakes were Made | Intel Privilege Escalation

    Intel is a very large corporation most known for their processors. A recent flaw within Intel’s ‘VTune Profiler’ software could enable anyone to upgrade their privileges if exploited correctly. This software is a performance monitoring & analysis application mainly used for serial and multi threaded application developers.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Scroll to Top