cbcvebase.
CVE-2019-18426
published 2020-01-21

CVE-2019-18426: A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and…

PriorityP185high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
67.86%
99.2th percentile
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

Affected

4 ranges
VendorProductVersion rangeFixed in
facebookwhatsapp_desktop
facebookwhatsapp_desktop>= unspecified < 0.3.93090.3.9309
whatsappwhatsapp< 0.3.93090.3.9309
whatsappwhatsapp< 2.20.102.20.10

Detection & IOCsextracted from sources · hover to see the quote

commandjavascript:"https://example.com";eval(atob("${btoa(payload)}"))
commandfetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'))
pathfile:///C:/windows/system32/drivers/etc/hosts
  • Detect WhatsApp Desktop messages containing a link preview with a javascript: URI scheme payload, specifically the pattern `javascript:"https://...`;eval(atob(...))` which is the exploit delivery vector.
  • Monitor for WhatsApp Desktop processes making file:// scheme fetch requests to local filesystem paths (e.g., file:///C:/windows/system32/drivers/etc/hosts), which indicates successful XSS exploitation and local file read.
  • The exploit is triggered when the victim clicks a link preview in a specially crafted text message; monitor for user interaction with link previews in WhatsApp Desktop versions prior to 0.3.9309.
  • Look for the exploit manipulation of WhatsApp message object properties `__x_matchedText` and `__x_body` being set to javascript: URI payloads in browser devtools or memory forensics.
  • The base64 string `ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz` decodes to `file:///C:/windows/system32/drivers/etc/hosts`; flag its presence in network traffic or process memory associated with WhatsApp Desktop.
  • ·The vulnerability only exists when WhatsApp Desktop (prior to 0.3.9309) is paired with WhatsApp for iPhone (prior to 2.20.10); both version conditions must be met simultaneously for the attack to succeed.
  • ·The exploit as published targets WhatsApp Web source code compiled specifically at version 0.3.9308; the breakpoint-based injection technique is a proof-of-concept requiring local devtools access to craft the malicious message.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck8.2HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.