WhatsApp desktop security flaw gave intruders remote access to files

Jon Fingas
Associate Editor
Ali Balikci/Anadolu Agency via Getty Images

You'll want to update WhatsApp's desktop client if you use it to chat on your computer. PerimeterX researcher Gal Weizman has revealed that Facebook patched a security vulnerability in WhatsApp's Mac and Windows versions that let attackers insert JavaScript into messages and remotely access files. The software was running an older release of Google's Chromium web engine (all the way back to version 69) with known flaws that made it relatively easy to slip in rogue code. It wouldn't have been difficult to alter messages, look for sensitive documents or install additional malware.

Facebook built WhatsApp on an Electron framework that makes it easier to deliver multi-platform apps based on web technology. As Ars Technica explained, though, Electron isn't secure if an app is based on an outdated web engine.

The flaws affect WhatsApp's desktop software from version 0.3.9309 and earlier, as well as people who paired the app with WhatsApp's iOS editions before 2.20.10. You're probably safe if you downloaded the app recently or have been vigilant about staying current. This is mainly a reminder that web-based apps aren't automatically safe, and that secure messaging is only truly secure if you're on top of upgrades.