
The mitigation advice now is to update the app itself and do so as a matter of some urgency. The mitigation advice given to WhatsApp users who wanted to continue using the app on older iPhones was to update the operating system if possible. Mitigating the one-click WhatsApp exploit risk The WhatsApp spokesperson also confirmed that the vulnerabilities were fixed promptly, and the patch has been applied to app downloads since the middle of December, 2019. "We regularly work with leading security researchers to stay ahead of potential threats to our users," a WhatsApp spokesperson said, "in this case, we fixed an issue that in theory could have impacted iPhone users that clicked on a malicious link while using WhatsApp on their desktop." Importantly, while newer versions of Google Chrome have JavaScript modification protections built-in (the older version as implemented by the vulnerable WhatsApp desktop application didn't), Safari is, according to the researchers, "still wide-open to these vulnerabilities." The WhatsApp response to these latest app security revelations For a malicious message to work, it must contain the text "javascript:" which will most likely be written off as some app weirdness by most non-technical users. Injecting malicious code or links into text messages became relatively simple at this point by modifying the JavaScript code of the message before delivery, and totally invisible to the average WhatsApp user.

This also meant he was able to get read permissions from the local file system on the app.

PerimeterX researcher Weizman dug deep into the WhatsApp Content Security Policy (CSP) and it was here that he found the "gap" that enabled him to perform "bypasses and cross-site scripting" exploits on the desktop app itself. Getting technical and diving into the WhatsApp Content Security Policy However, the starting point is so large that we could still well be talking hundreds of thousands, if not millions. Because this vulnerability, as devastatingly simple and dangerous as it is, can only be exploited by those users with an older desktop app connected to their older iPhone app, the number of people at risk is reduced even further.

While WhatsApp itself is said to have 1.5 billion active monthly users, the number of those who are using the app on an iPhone is not known.
