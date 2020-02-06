WhatsApp’s desktop client reportedly featured a bug that allowed hackers to access files by inserting a JavaScript message. The Facebook-owned messaging app has now patched the vulnerability on Windows and macOS.

The security flaw was detected in WhatsApp’s desktop client from version 0.3.9309 and WhatsApp for iOS version 2.20.10 by security researcher Gal Weizman. He stated that the bug existed in WhatsApp’s Content Security Policy that had allowed attackers to carry out XSS attacks.

For the uninitiated, an XSS attack - aka Cross-site Scripting - means that an attacker can send a misleading file with a malicious JavaScript link. When the victim clicks on the link, an HTTP request is generated from their browser, which is sent to the vulnerable web application.

Weizman demonstrated the flaw in his blog post, where he also stated that the scope of the flaw was wider on WhatsApp’s desktop application over the web client. He also uploaded screenshots that showed the data retrieved from the victim’s computer by remotely using the WhatsApp desktop application.