WhatsApp addressed a severe vulnerability that could have allowed a malicious group member to crash the messaging app for all members of the same group.
An attacker could trigger the vulnerability by sending a maliciously crafted message to a targeted group, the message caused the app entering a loop that crashed the devices. The only way to recover a situation was forcing all group members to uninstall the WhatApp, reinstall the app, and remove the group, this will cause the users to lose the entire group chat history.
The flaw was discovered by researchers at Check Point, the issue affects the implementation of the XMPP communication protocol that crashes the app when a member with an invalid phone number sends a message to the group.
“The bug resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging.” reads the analysis published by CheckPoint.
“When we attempt to send a message where the parameter “participant” receives a value of “null” a ‘Null Pointer Exception’ is thrown.“
“The parser for the participant’s phone number mishandles the input when an illegal phone number is received. When it receives a phone number with a length, not in the ranger 5-20 or a non-digit character, it would read it as a ‘null’ string.”
Every time a user in a WhatsApp group sends a message to the group, the application will examine the parameter participant to identify the sender. The experts used a tool to modify this parameter, they discovered that it was possible to trigger the bug by replacing the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘firstname.lastname@example.org.’
The tool used by the experts is an extension of the Burp Suite penetration testing software that allows users manipulating the actual WhatsApp communication using their own encryption keys.
“By sending this message WhatsApp application will crash in every phone that is a member of this group. The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop.” continues the analysis. “Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”
Below a video PoC published by the experts:
“The bug will crash the app, and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop,” concludes the researchers. “Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”
The attack would not affect the sender.
The researchers responsibly reported the bug to WhatsApp in late August, and the company addressed the issue with the release of WhatsApp version 2.19.58 in September.