WhatsApp for Mac update patches security flaw

Whatsapp (Image credit: WhatsApp)

What you need to know

  • The latest update for WhatsApp on Mac has patched a serious security flaw.
  • The flaw was discovered by security researcher Gal Weizman.
  • It allowed users to exploit the quote feature in a group conversation to change the identity of the sender and could be used to redirect people to malicious websites.

An update for WhatsApp on macOS has patched a security flaw that could be used to redirect users to malicious websites.

As reported by 9to5 Mac:

If you use WhatsApp on Mac, you'll want to make sure the desktop app has been updated to the current version, 0.4.316. This closes a very nasty security hole.The vulnerability was discovered by security researcher Gal Weizman. It built on an earlier issue in which replies could fake the original text…

Weizman's blog states:

Back in 2017, while I was traveling in Peru, I found a security flaw that Check Point published a few months later. That flaw was simple. In the words of Check Point's researchers in this article published in 2018, it allowed an attacker to "alter the text of someone else's reply, essentially putting words in their mouth."

Giezman went on to research the flaw to see where it was evident and how it could be used. He found four unique security flaws in WhatsApp, including one which could use the reply feature to rewrite messages using the quote feature and incorporate links to malicious websites. He was also able to use malicious code to read files from a Mac.

The full rundown is very complex, but you can read it here. In conclusion, he said:

And that's pretty much it. I have to admit I've put a lot of effort and time into this research, but I'm glad to say it all paid off. I think there are a few very interesting ideas here that should inspire you to explore new types of security flaws that probably exist out there. I encourage you to go ahead and do that responsibly! And if you're on the other side of the game, please use this article to harden your application. It is 2020, no product should be allowing a full read from the file system and potentially a RCE from a single message.

Version 0.4.316 of WhatsApp for Mac was released on January 24.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9