Do you like chatting in groups of interest? Are you smiling or shivering when in a group chat from your child’s kindergarten or school class new messages arrive? You are in danger! Recently discovered dangerous vulnerability allows any member of a group chat to disable WhatsApp on the devices of all other participants using a special message.Check Point researchers discovered this vulnerability.
By sending a specially configured message to a group, an attacker can start a denial of service loop that makes it impossible to continue using the application.
“By sending message WhatsApp application will crash in every phone that is a member of this group. The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop. Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash”, — write Check Point researchers.
The only solution to the problem in this case is to remove WhatsApp and reinstall it. However, then all correspondence and files will also be deleted.
According to Check Point experts, the cause of the problem is the implementation of WhatsApp protocol XMPP, which “breaks” the application when a participant with an invalid phone number sends a message to group chat.
When sending a message where the value ‘null’ is specified as the ‘participant’ parameter, a null pointer exception will be returned. Upon receiving an invalid phone number, the parser for the group member’s phone number will not process the input correctly. If the parser receives a phone number with a length outside the range of 5 to 20 or a non-numeric character, it will read it as ‘null’.
To carry out an attack, a group chat participant must manipulate other parameters associated with messages in a chat encrypted using end-to-end encryption.
To do this, an attacker can use WhatsApp Web and a tool for debugging a web browser paired with an open tool for manipulating WhatsApp from Check Point.
Now urgently need to leave all group chats?
Fortunately, the vulnerability has been fixed in WhatsApp 2.19.58, update your application just in case.