An exploitable notice bypass vulnerability exists in the multiple web connections functionality of Facebook WhatsApp Desktop version 0.2.9739. This functionality allows a user to choose what to do when multiple desktop sessions are initiated using WhatsApp Desktop. By stealing the session information from its victim and following a specific sequence of steps an attacker can clone a session and receive in real time all messages and attachments from the victims communications. Can start a session on its own computer while preventing the multiple web connections notice on the victim screen.
Facebook WhatsApp for MacOS version 0.2.9739 Facebook WhatsApp for Windows version 0.2.9928
6.0 - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-303: Incorrect Implementation of Authentication Algorithm
WhatsApp Desktop allows a person to use WhatsApp on the desktop. The enrollment process for the desktop requires the user to read a QR code generated by the desktop app using their mobile application. This enrollment is valid while the mobile device has Internet connectivity or until the user manually deletes the session on the mobile application. If a user copies the session data from one desktop to another a notice will be shown asking the user to either reclaim the session back to the original desktop or to logout. If the user takes no action the session will be valid at the secondary desktop.
If attackers get access to the session information (using some malware or locally) they are able to start a shadow session without the user getting the multiple session notice. In order to do so attackers need to follow the following procedure:
After following this procedure the attacker will receive all previous messages and future messages without the victim ever receiving a notice on the desktop application. The only way the user has to check if a shadow session exists is by checking it manually on the mobile application menus. From there he or she is also able to disable such a connection.
2018-07-05 - Initial contact via vendor template; report #104531533800808 assigned
2018-07-31 - After initial refusal to look into the issue. Vendor says vulnerability is on the Electron Framework
2018-08-01 - Reply explaining that the lack of encryption of the Electron Framework cookies are also a problem
2018-08-01 - Vendor replied that would look into the issue
2018-09-04 - Follow up w/vendor, no response
2018-09-24 - Follow up w/vendor, no response
2018-10-03 - Follow up w/vendor advising issue reaches 90 days and plans for public disclosure
2018-11-26 - Follow up w/vendor, advising that we could disclose
2018-12-03 - Requested CVE from Mitre
2018-12-10 - Public disclosure 2018-12-10 - Public disclosure
Discovered by Vitor Ventura of Cisco Talos.