Researcher discovers WhatsApp bug that allowed hackers to access files on your PC

Facebook has fixed another security flaw in WhatsApp that could have allowed attackers to gain access to your files on your computer.

Discovered by Gal Weizman, a security researcher at PerimeterX, the vulnerability affected WhatsApp's Windows app when paired with an iPhone and the Mac app. The exploit was discovered in the Content Security Policy (CSP) which enabled hackers to modify messages and links via XSS (cross-site scripting). The researcher said he could leverage the exploit to gain access to a user's files on their PC.

"A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message," said Facebook in a post.

The company said the exploit was discovered in "WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10."

Weizman in his blog said, "Fortunately for WhatsApp, Chromium based browsers added a defense mechanism against javascript: URIs just when I found this vulnerability. Unfortunately for WhatsApp, on other browsers such as Safari and Edge, this vulnerability was still wide open."

The report comes days after WhatsApp was caught in a big privacy scandal wherein attackers targeted individuals around the world. The hackers reportedly used Pegasus spyware, developed by Israel-based surveillance firm NSO Group. Even Amazon CEO Jeff Bezos suffered a targeted attack via WhatsApp.