A security researcher by the name of Gal Weizman from PerimeterX found multiple flaws within WhatsApp that could potentially lead to remote-code-execution (RCE). The flaws enabled vulnerabilities such as Open-Redirect, Persistent-XSS, CSP-Bypass and read privileges from the Local File System (LFS).
Gal Weizman originally found a flaw that enabled the altering of messages when being directly replied to. This was not very powerful but did get the researcher wondering what else could potentially be edited when sending a message, which brought the researcher into finding an Open-Redirect flaw in messages which involved a preview banner.
When sending a link to an individual on WhatsApp, a simple banner with basic information on the link sent can appear. Gal Weizman was able to take advantage of this by adding a simple ‘@’ symbol.
“The purpose of “@” in URLs is to pass username and password to visited domains in the following way: https://USERNAME:PASSWORD@DOMAIN.COM. One can abuse this, as I just did, and replace the username and password with anything else: https://DOMAIN-A.COM@DOMAIN-B.com and it’ll still work.”
From here the researcher was able to find a way where Persistent-XSS was integrated. The approach he used was by trial and error. He first tried an XSS attack by attempting the following which ended up being a dud:
“AND IT WORKED!”
From here the researcher was looking for a way to make this XSS attack persistent. One way this was possible was bypassing WhatsApp’s Content Security Policy rules. The researcher was able to use the ‘fetch()’ API which made it possible to access the local systems files.