Although rarely exploited, vulnerability testing reports on WhatsApp have become prevalent in the cybersecurity community. The most recent of these reports refers to multiple failures that could alter some aspects in the user interface.
Using his knowledge in JavaScript, researcher Gal Weizman detected multiple vulnerabilities in the messaging service that could be exploited in real-world scenarios, exposing users to serious risks, such as sending malicious links or remote injection of code.
It should be mentioned that the vulnerability testing report mentions that all the flaws discovered by Weizman are found in WhatsApp Web, the desktop version of the messaging service. Its exploitation would allow sophisticated phishing campaigns to be deployed, spread malware, and even some variants of ransomware, putting millions of users at risk.
One of the most serious flaws allows you to evade platform security measures to run cross-site scripts (XSS). By exploiting this vulnerability, malicious actors may obtain read permission on the target device’s local file system to add links or malicious code to a message sent by WhatsApp Web. Running these attacks is possible by simply modifying the JavaScript code of a message before it is sent.
Soon after, a WhatsApp spokesperson mentioned that the company, owned by Facebook, has already received the report, so the bugs were fixed shortly after: “The issue we addressed in the most recent update could have affected thousands of users of WhatsApp Web platform; we appreciate the security investigator’s report.”
While this flaw has already been fixed, similar new threats could appear shortly, so vulnerability testing specialists at the International Institute of Cyber Security (IICS) recommend that you be careful when interacting with a message received via WhatsApp Web containing the text “javascript”, as it is a clear indicator of potentially malicious activity, especially if it is sent from an unknown account.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
