A “nice” vulnerability has been discovered in the popular messaging app WhatsApp that could be exploited by an attacker to remotely crash the mobile app just by sending a specially crafted message. The news was reported by two Indian security researchers that contacted the colleagues at ‘The Hacker News’.
The two India based researchers, Indrajeet Bhuyan and Saurav Kar, are very young, they are both 17-year old teenagers and have reproduced the exploitation of the vulnerability in the WhatsApp Message Handler.
TheHackersNews portal has published a video PoC in which is demonstrated that by sending a 2000 words (2kb in size) message in a special character set is possible to cause the crash of the WhatsApp recipients’ app.
As explained by the researchers, the bug in the WhatsApp is really worrying because in order to restore a normal operation, the targeted user will have to delete his whole conversation and start a new chat session. This anomalous behavior is caused by the presence of the malicious message within the chat messages that will cause the WhatsApp crash unless the chat is deleted completely.
“What makes it more serious is that one needs to delete entire chat with the person they are chatting to in order to get back whatsapp work in normal,” Bhuyan told THN in an e-mail.
The serious flaw affects most of the Android versions currently available on the market including Jellybean, Kitkat, and all the below android versions.
Also WhatsApp groups are seriously impacted by the vulnerability, an attackers could intentionally send a specially crafted message to exit people from the group and delete the group. Just by sending a specially crafted message is possible to avoid that a member of the group maintains trace of attacker’ chat with him, because the message will cause the crash of the targets.
The Indian researchers still haven’t massively tested the flaw in iOS version of WhatsApp, meanwhile the attack doesn’t work on Windows 8.1.
These guys are really a wonder, what do you think?
(Security Affairs – WhatsApp, hacking)