WhatsApp has encountered yet another security bug. WhatsApp for Desktop on both Windows and Mac allowed hackers to remotely access files on the computer. While Facebook has already fixed the vulnerability, it could have leaked a lot of important and crucial information of people who use WhatsApp desktop application. The security bug majorly attacked users running the desktop client of WhatsApp on Windows or Mac. However, some WhatsApp Web (works on Web Browser) users were also left affected.
The WhatsApp desktop application's vulnerability was first reported by PerimeterX researcher Gal Weizman. The report suggests that the bug majorly affected WhatsApp’s Mac or Windows app users who paired the app with an iPhone. Upon digging up, the researcher reported that the security breach was within the Content Security Policy (CSP) of WhatsApp. This basically allowed Cross-Site Scripting (XSS) attacks on the desktop app.
In a blog post, Weizman said, "For some reason, the CSP rules were not an issue with the Electron-based app, so fetching an external payload using a simple JavaScript resource worked." He further added, "CSP rules are super important and could have prevented a big part of this mess.If the CSP rules were well configured, the power gained by this XSS would have been much smaller."
As the company has fixed the flaw, it is recommended that you update both your WhatsApp desktop app as well as the app on your Android or iOS device.