It was cool, but back then I couldn’t come up with any idea of further exploiting the flaw or finding related flaws. In the words of Check Point’s researchers in this article published in 2018, it allowed an attacker to “alter the text of someone else’s reply, essentially putting words in their mouth.”
Tl dr: This is the story of how I found and helped Facebook patch multiple critical security flaws in WhatsApp ( CVE-2019-18426), all the way from a simple Open-Redirect through a Persistent-XSS and CSP-bypass to a full cross platforms Read From The Local File System on both Windows and Mac!īack in 2017, while I was traveling in Peru, I found a security flaw that Check Point published a few months later.