The last few months have not been good for WhatsApp users. Unfortunately, it does not appear that this is going to change anytime soon.
The Facebook-owned messaging app acknowledged and imposed a large vulnerability that allowed hackers the ability to access files on the victim’s computer. To fall victim to this attack, you have to click on the hidden link preview sent through the messaging app. In other words, it would be an easy mistake for users.
Crucially, it did not affect every single WhatsApp user. Rather, a WhatsApp user must have an iOS version of a messaging app for a PC or macOS WhatsApp desktop app.
The Facebook bug report reads, “When paired for iPhone with WhatsApp, a vulnerability in the WhatsApp desktop allows cross-site scripting and local file reading”. “The victim needs to click on the link preview from a specially prepared text message to uncover the vulnerability.”
In a February 4 blog post, the security researcher discovered and revealed the vulnerability that detailed his process and noted that WhatsApp really should get together.
“It’s 2020,” Gal Weisman wrote, “no product should be allowed to read from the file system in its entirety and could possibly result in [a remote code execution] from a message.”
Patrick Wardley, a security researcher at Objective and founder of Objective-C, reported in a direct message from Twitter that “often not as well-audited or well-written as desktop versions of apps … and thus Often open to attacks. ”
He said that this specific bug was “likely to be trivial to exploit,” but cautioned people to fire.
“[Still],” Wardley wrote, “a super clean bug, and had the ability to affect a lot of users (I use the WhatsApp desktop), so of course a security researcher exposed it and F.B. Patched it quickly. ”
We reached out to Facebook in an effort to find out how many people were vulnerable to this exploitation and how many, if any, were actually affected by it. We have not received any response as of press time.
In particular, WhatsApp vulnerabilities can have serious consequences. Just last month, a security firm hired by Amazon CEO Jeff Bezos claimed in a report that the CEO’s phone could be hacked upon receipt of a malicious WhatsApp message. And while Bezos will be fine, people with less power and resources who are victims of such attacks also cannot afford to fare.
Facebook knows about this but suggests that at least some of the blame must lie elsewhere. Following the news of Bezos’ hacked phone, Nicola Mendelshaw, the company’s vice president for Europe, the Middle East, and Africa, suggested to Bloomberg that Apple was the real problem here.
“One of the things that it highlights is actually some of the potential inherent weaknesses that exist on the actual operating system on the phone”, Mendelsohn told the publication. “From the perspective of WhatsApp, from the perspective of Facebook, the thing we care about the most, the thing we invest in, is making sure that the information we have is safe and secure.”
Which, yes, great. Ensuring that WhatsApp information is “safe and secure” sounds great, but perhaps it should not allow malicious texts that allow hackers to access victims’ computers? It seems like a good place to start.