A flaw found in the desktop version of WhatsApp lets third-parties access your file system on macOS and Windows.
CVE-2019-18426
Tracked as CVE-2019-18426 the flaw has been patched by Facebook and is only present in versions before 0.3.9309. When synced with the iOS app versions prior to 2.20.10 it allowed for cross-site scripting and local file reading. All that was required for the attack was for the victim to click on a link inside a special text message.
Security researcher Gal Weizman found the flaw, and his story behind it is an interesting read:
I originally thought: “Using WhatsApp web, I can find the line of code where the object containing the metadata of the message is being formed, tamper with it, and then let the app continue in its natural message-sending flow, thus crafting my message while bypassing the UI filtering mechanism.”
Again, the flaw has been patched so there’s no need to worry…until the next flaw is found.