WhatsApp Bug Could Let Attackers Crash the App, Delete Group Messages: Check Point

WhatsApp has fixed a bug that could have allowed attackers to deliver a malicious group message to repeatedly crash the app for all the members of the group, a report by Check Point Research revealed on Tuesday. The bug, which was discovered in August, is said to have the potential to cause a crash loop that could only be fixed by completely uninstall and reinstall the app. Even after reinstalling, users wouldn't be able to return to the affected group and hence would lose all the messages and media content exchanged in that particular group.

According to the blog post by Check Point Research detailing the bug, an attacker would need to be a member of the target WhatsApp group to impact its other members. The instant messaging app has a limit of 256 members per group, which isn't too small to make room for a bad actor.

Once they have gained membership, the bad actor would need to use WhatsApp Web and debugging tool like Google Chrome's DevTools to edit specific message parameters that cause the crash loop for all group members.

The bug was found by the Check Point Research team after inspecting the communications between WhatsApp and WhatsApp Web. The researchers were able to manipulate the parameters used for WhatsApp communications that could cause repeated crash. Furthermore, technical details of the bug have been published in the blog post.

Although the affected users would be able to fix the crash loop by reinstalling WhatsApp on their devices, the bug forces them to delete the group that removes all its messages and media content.

“Because WhatsApp is one of the world's leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors,” said Oded Vanunu, Check Point's Head of Product Vulnerability Research, in a media statement.

Check Point Research disclosed its findings to the WhatsApp bug bounty programme on August 28. WhatsApp has fixed the flaw starting its Android version number 2.19.58. Moreover, users, especially those who haven't updated WhatsApp since the middle of September, are recommended to download the latest version to prevent instances of crashes through malicious group messages.

“WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally,” said WhatsApp Software Engineer Ehren Kret. “Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.”

The latest fix comes weeks after WhatsApp was found to include an MP4 file security flaw that could be used to trigger remote code execution (RCE) or denial-of-service (DoS) attacks. The Facebook-owned app also in September fixed a bug that could let attackers steal user data directly through a malicious GIF file.

WhatsApp has a strong base of over 1.5 billion users across the globe -- with more than 400 million users in India alone. This gives a significant reason to researchers to actively dig in and find new vulnerabilities.