This WhatsApp bug could allow hackers to crash the app and delete group chats forever

Researchers detail security flaw that allowed hackers to crash WhatsApp and permanently delete contents of group chats - and urge users to update the app to protect against attacks.
Written by Danny Palmer, Senior Writer

WhatsApp has fixed a security flaw that could have allowed cyber attackers to repeatedly crash the messaging application for all members of group chat, which could only be fixed by forcing the complete uninstall and reinstall of the app.

But even once the application is restored, users aren't able to return to the group, causing the loss of all of the messages and media exchanged in the chat.

The vulnerability in the chat application used by over 1.5 billion people has been uncovered by cybersecurity researchers at Check Point who worked with Facebook-owned WhatsApp to ensure it can't be exploited by malicious attackers.

SEE: 10 tips for new cybersecurity pros (free PDF)

It follows on from Check Point's previous research into how hackers could tamper with WhatsApp, which provided security analysts with intelligence on how WhatsApp messages are communicated and how they can be manipulated.

In order to launch the application-crashing attack, the attacker first of all needs to gain entry to the WhatsApp group they intend to target – although given that the chat app allows up to 256 users per group, this might not prove too difficult.

An attacker would need to have some hacking skills in order to carry out the attack, with the ability to browse WhatsApp Web and open Chrome's DevTools, as well as gaining access to the secret parameters used by the application as part of how group chats operate.

However, this is possible via the use of legitimate penetration-testing tools; in this case, researchers were able to gain access to WhatsApp traffic and decrypt the secret parameters and turn them into plain text, allowing the attacker to decrypt and modify messages, as was the case in Check Point's previous research into this area.

This time researchers found they could use this technique to alter the identifying phone number of members of the group, replacing the numbers with non-digit characters. By sending a message with this altered number, it would then crash the application for every member of the group

The bug means that the app will continue to crash on an infinite loop when WhatsApp is reopened, meaning that the group needs to be deleted and WhatsApp needs to be reinstalled in order for the application to function again. While this restores the app to working order, the group and all of the contents within it are lost forever.

Even if all members of the group reinstall the app, any information sent previously is gone, meaning this attack could be used for sabotage – especially given how WhatsApp is used by billions of people around the world.

"It can be a tool for pure vandalism, or to specifically target a group such as political advisors or company executives to disrupt their communications. Once the chat group has been attacked using this flaw, all data in that group chat is lost permanently," Oded Vanunu, head of products vulnerability research for Check Point, told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Researchers disclosed their findings to the WhatsApp bug bounty program in August and the rollout of WhatsApp version number 2.19.58 in September fixed the vulnerability. It's recommended that users who haven't updated WhatsApp since September should download the latest version in order to prevent falling victim to this attack.

"WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally," said WhatsApp software engineer Ehren Kret. "Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September.

"We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties altogether," he added.


Editorial standards