WhatsApp Desktop for Windows has a cross-site scripting vulnerability which allows local files to be read
1 min. read
Published on
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
The WhatsApp Desktop has a vulnerability which allows hackers to access your local files by sending you a specially crafted text message.
Facebook has issued an advisory (CVE-2019-18426) which notes:
Description: A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
Affected Versions: WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10
The issue is that the Electron app uses an older web rendering engine based on Chromium 69, which has a vulnerability which has long since been patched on more recent versions of Chrome.
Facebook has made a patched version available, but if you do not use the Store version of the app you may very well still have an older, vulnerable version installed.
If that is the case it would be a good idea to update to the latest version which you can get it from this link.
Via Engadget
User forum
0 messages