WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

WhatsApp? WhatsPatch? WhatsCrack? | WhatsApp Critical Flaw

Posted by Michael on 07/02/2020

A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).
Gal Weizman originally found a flaw that enabled the altering of messages when being directly replied to. This was not very powerful but did get the researcher wondering what else could potentially be edited when sending a message, which brought the researcher into finding an Open-Redirect flaw in messages which involved a preview banner.
When sending a link to an individual on WhatsApp, a simple banner with basic information on the link sent can appear. Gal Weizman was able to take advantage of this by adding a simple ‘@’ symbol.
“The purpose of "@" in URLs is to pass username and password to visited domains in the following way: https://USERNAME:PASSWORD@DOMAIN.COM. One can abuse this, as I just did, and replace the username and password with anything else: https://DOMAIN-A.COM@DOMAIN-B.com and it'll still work.”
From here the researcher was able to find a way where Persistent-XSS was integrated. The approach he used was by trial and error. He first tried an XSS attack by attempting the following which ended up being a dud:
e.__x_body = e.__x_matchedText = "javascript:alert(document.domain)";
The researcher then attempted a different approach where Gal Weizman treated the javascript to include a URL with the assumption that the WhatsApp attached URL banner has to include a legitimate HTTPS URI:

e.__x_body = e.__x_matchedText = 'javascript:"https://example.com";alert(document.domain)';
From here the researcher was looking for a way to make this XSS attack persistent. One way this was possible was bypassing WhatsApp’s Content Security Policy rules. The researcher was able to use the ‘fetch()’ API which made it possible to access the local systems files.

Contact us

  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com