BreakingApp: a vulnerability in WhatsApp let one message render the app unusable for entire groups

Security research group Check Point Research recently uncovered a flaw in WhatsApp through which a single malicious user could crash the apps of all members of a group chat.

After joining a group chat, a malicious user could edit specific message parameters using the WhatsApp web interface and a browser debugging tool, creating an “unstoppable crash-loop for all group chat members” which could only be fixed by uninstalling and reinstalling the app.

The exploit would prevent members from returning to the group and and also lose all history of the chat.


How it works?

According to the paper [1]:

The bug resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging.
When we attempt to send a message where the parameter “participant” receives a value of “null” a ‘Null Pointer Exception’ is thrown.

In order to exploit this bug we would need to replace the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘[email protected]’ as can be seen below:

By sending this message WhatsApp application will crash in every phone that is a member of this group.

The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop.

Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.

Researchers also published a video that explains the attack flow:


Is there a fix?

Yes! The bug was discovered in August 2019 and responsibly reported to WhatsApp whose developers fixed the bug in the update for version 2.19.246 and onwards.


References

  1. BreakingApp – WhatsApp Crash & Data Loss Bug

Related posts

  1. Security analysis of WhatsApp calls
  2. Some thoughts about the Signal Messaging Protocol
  3. CVE-2019-18426: WhatsApp bug allowed remote access to users computers with just a text message
  4. New WhatsApp vulnerability allows remote command execution using a crafted MP4 file
  5. Watch out! A new vulnerability in WhatsApp for Android allows attackers to perform remote commands on devices