WhatsApp Desktop for Windows has a cross-site scripting vulnerability which allows local files to be read

Home » Apps

Reading time icon 1 min. read

Calendar icon Published on

by Surur Davids 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

The WhatsApp Desktop has a vulnerability which allows hackers to access your local files by sending you a specially crafted text message.

Facebook has issued an advisory (CVE-2019-18426) which notes:

Description: A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

Affected Versions: WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10

The issue is that the Electron app uses an older web rendering engine based on Chromium 69, which has a vulnerability which has long since been patched on more recent versions of Chrome.

Facebook has made a patched version available, but if you do not use the Store version of the app you may very well still have an older, vulnerable version installed.

If that is the case it would be a good idea to update to the latest version which you can get it from this link.

Via Engadget

More about the topics: security, vulnerability, whatsapp, WhatsApp for Windows, WhatsApp Web

Surur Davids

Surur Davids Shield

Smartphone Expert

Surur Davids is the founder of WMPoweruser which later became MSPoweruser.com. He's a smartphone expert with over a decade of experience.