Security News > 2020 > February > Update now – WhatsApp flaw gave attackers access to local files
The immediate problem was caused by a gap in WhatsApp's Content Security Policy, a security layer used to protect against common types of attack, including XSS. Using modified JavaScript in a specially crafted message, an attacker could exploit this to feed victims phishing and malware links in weblink previews in ways that would be invisible to the victim.
An underlying problem is that WhatsApp desktop uses older versions of Google's Chromium framework, written using the cross-platform Electron platform.
It's not the first time WhatsApp's required a patch to fix its security.
Arguably, the problem here isn't WhatsApp but the complex nature of modern messaging applications coupled to the willingness of researchers to hunt for them in the world's number one communications app.
For all its much-vaunted security features, attackers have a strong incentive to look inside the app's guts for security holes that could undermine this.