Security research group Check Point Research recently uncovered a flaw in WhatsApp through which a single malicious user could crash the apps of all members of a group chat.



After joining a group chat, a malicious user could edit specific message parameters using the WhatsApp web interface and a browser debugging tool, creating an "unstoppable crash-loop for all group chat members" which could only be fixed by uninstalling and reinstalling the app.

The exploit would prevent members from returning to the group and and also lose all history of the chat.


How it works?

According to the paper [1]:

The bug resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging.
When we attempt to send a message where the parameter “participant” receives a value of “null” a ‘Null Pointer Exception’ is thrown.

In order to exploit this bug we would need to replace the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘c@s.whatsapp.net’ as can be seen below:

By sending this message WhatsApp application will crash in every phone that is a member of this group.

The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop.

Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.

Researchers also published a video that explains the attack flow:

https://www.youtube.com/watch?v=u-sGONBNrwg


Is there a fix?

Yes! The bug was discovered in August 2019 and responsibly reported to WhatsApp whose developers fixed the bug in the update for version 2.19.246 and onwards.


References

  1. BreakingApp – WhatsApp Crash & Data Loss Bug