WhatsApp flaw lets hackers crash your app with one message

17 Dec 2019

Image: © PixieMe/Stock.adobe.com

Hackers could crash the WhatsApp application for users by sending one destructive message in a group chat, research from Check Point found.

Researchers from Israeli cybersecurity firm Check Point discovered a WhatsApp flaw that lets cybercriminals send a destructive group text to users that would immediately crash the app for all recipients.

So severe is the crash that impacted users would have to uninstall and then reinstall the app in order to return to functionality. In addition, users wouldn’t be able to regain access to the group chat without re-triggering the crash, meaning that the only option would be to delete the group chat entirely, which Check Point notes would lead to the indefinite loss of the chat history.

The attack can be launched using WhatsApp Web and a browser debugging tool. Check Point reported the flaw to WhatsApp through its bug bounty program on 28 August 2019.

WhatsApp responded by patching the issue in version number 2.19.58. This version was deployed in September, and included new controls to prevent people from being added to unwanted groups, so as to avoid communication with untrusted parties.

‘Powerful weapon’

“Because WhatsApp is one of the world’s leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors,” explained Oded Vanunu, Check Point’s head of product vulnerability research.

“All WhatsApp users should update to the latest version of the app to protect themselves against this possible attack.”

This research follows on from reports in August of a vulnerability that allowed hackers to change and manipulate WhatsApp messages.

WhatsApp is one of the most popular apps in the world and boasts 1.5bn users globally. Approximately 65bn messages are sent on WhatsApp every day and in many countries it is used as a news source.

In response to the research from Check Point, WhatsApp software engineer Ehren Kret said: “WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September.

“We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.”

Updated, 17 December 2019, 3:45pm: This article was amended to include comments from a WhatsApp engineer.

Eva Short was a journalist at Silicon Republic