Security News > 2020 > February > Vulnerability in WhatsApp Desktop Exposed User Files
The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who said he found multiple issues in WhatsApp Desktop, starting with an open redirect into persistent XSS and Content Security Policy bypass, and then a "Cross platforms read from the local file system."
One of the main issues Weizman identified was that an attacker could modify WhatsApp reply messages to include quotes of messages the recipient never sent.
The WhatsApp Desktop applications for Windows and macOS are written using the Electron platform, which is Chromium-based, meaning that they should have been protected from the XSS attack.
Because the apps were still based on a vulnerable version of Chrome - they used Chrome 69 when the latest stable version of Chrome was 78 - WhatsApp's desktop users were exposed, the researcher explains.
The researcher says he did not attempt any code execution attacks, but that he was able to use the fetch() API to read files from the local file system.