Users of the WhatsApp Desktop are facing a vulnerability that could give bad actors access to local files on a PC. The vulnerability involves hackers sending specially crafted messages to fool users.
Facebook has confirmed the vulnerability (CVE-2019-18426). In an advisory, the company said the attack would need the user to click a link.
“Description: A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
“Affected Versions: WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.”
It seems the problem is the Electron application is built on an aging web rendering engine. It is based on Chromium 69 that has the vulnerability. Of course, Chrome has since moved on an had the problem patched. However, for WhatsApp Desktop the problem remains.
Facebook says a patched version of the app is now available. For this to be available, you must have WhatsApp Desktop downloaded from the Microsoft Store. Other versions of the app may still have the vulnerability.
If you want the latest version of WhatsApp Desktop, you can get it here.
Windows Phone Removal
Back in December, the WhatsApp application for Microsoft’s Windows Phone was removed.
It has been inevitable as the company had not been supporting the app for some time. That means WhatsApp on Windows Phone had not been receiving updates and was not visible in the Microsoft Store. However, users with the app already installed had been able to continue using it.