The company’s security researcher, Gal Weizman, found vulnerabilities in WhatsApp’s Content Security Policy (CSP) that could be exploited to send manipulated messages and links using Cross-Site Scripting (XSS). He was able to take advantage of these flaws to send malicious code or read files from a computer’s local file system. That could’ve been quite harmful if someone stored sensitive documents on their machine.
The researcher was able to find and manipulate code from where messages are formed in the desktop app. He proceeded to forge a banner with a link preview to include a potentially malicious link.
Weizman suggested that WhatsApp shouldn’t use older version of Google’s chromium-browser platform to avoid such flaws. If you’re using WhatsApp on an iPhone and through its desktop app, you should update both, just to be safe.
You can read the technical details of how Weizman was able to bypass WhatsApp’s CSP here.