WhatsApp flaw gave hackers access to files from Windows and Macs

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

WhatsApp flaw gave hackers access files from Windows and Macs

If you run WhatsApp’s desktop client on your Mac or PC then you would be wise to make sure it’s up-to-date, following the revelation that a security researcher uncovered a critical security flaw.

Gal Weizman of Perimeter X found problems in the Windows and Mac versions of WhatsApp Desktop, which users pair with the smartphone version of the messaging app.

Weizman discovered an array of issues in the cross-platform desktop apps that are built using web browser technology with the Electron software framework.

Sign up to our free newsletter.
Security news, advice, and tips.

Perhaps the most alarming flaw found by Weizman was one which could allow an attacker to simply send some JavaScript in a WhatsApp message to their intended victim in order to trigger the reading of their locally-stored files.

Whatsapp leak

Embarrassingly for Facebook, the makers of WhatsApp, Weizman had found that the software was using an old, out-of-date version of the Google Chromium engine (Chromium 69), for which vulnerabilities were already known.

Weizman issued a warning to other developers of the risks if they didn’t keep their users patched with the latest updated software:

“If you’re going to use Electron, you HAVE to make sure it is updated with each update of Chromium. And this is such a big one – Chromium updates are not just cool new features, in most Chromium updates, serious vulnerabilities are being patched! When Chromium is being updated, your Electron-based app must get updated as well, otherwise you leave your users vulnerable to serious exploits for no good reason!”

Concerned users should check which versions of WhatsApp Desktop they have installed on their Windows PC or Mac. Version 0.3.9309 and earlier are affected by the vulnerability.

Facebook updated the WhatsApp desktop and iPhone apps last month to fix the issues uncovered by Weizman.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.