Researchers at security specialist Check Point Software Technologies have uncovered a bug in WhatsApp that is so serious it can permanently wipe out a group chat.
The vulnerability is related to, according to Check Point, “a manipulation of the WhatsApp protocol using a tool built by Check Point Research in order to validate WhatsApp security without jeopardizing WhatsApp end to end encryption.”
It seems this tool “allows a user to modify WhatsApp messages before being sent and change the general parameters, such as participant’s phone number.”
According to Check Point, the bug was discovered in August 2019 and responsibly reported to WhatsApp. The good news is that its developers fixed the bug in the update for version 2.19.246 and onwards.
Check Point is seems in order to discover any vulnerabilities in WhatsApp, “set up the WhatsApp Manipulation Tool and started testing new ways to manipulate WhatsApp protocol.”
During its testing, it found a technique that “where one can crash WhatsApp on multiple phones in a shared group.”
Check Point found that it could “start decrypting and modifying messages in a conversation where we participate.”
The bug itself reportedly resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging.
Its WhatsApp tool was able to edit the parameter participant to identify who sent the message.
“In order to exploit this bug we would need to replace the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘c@s.whatsapp.net’,” said the Check Point researchers. “By sending this message WhatsApp application will crash in every phone that is a member of this group.”
“The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop,” the warned. “Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”
“In WhatsApp there are many important groups with valuable content,” Check Poinit said. “If an attacker uses this technique and crashes one of these groups all chat history will be gone and further communication would be impossible.”
“The impact of this vulnerability is potentially tremendous, since WhatsApp is the main communication service for many people,” they said. “Thus, the bug compromises the availability of the app which is a crucial for our daily activities.”
The only way to recover from the issue is to uninstall WhatsApp, install it again, and remove the group which contains the malicious payload.
Check Point produced the following proof of concept video, found here.
As WhatsApp is now a hugely popular messaging app, the importance of its security remains a serious issue for many people.
This was evidenced in October, when WhatsApp sued Israel-based NSO Group, and alleged it was behind the cyberattack earlier this year that infected devices with advanced surveillance tools.
In May 2019, WhatsApp urged all of its 1.5 billion users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.
The Facebook-owned company discovered the vulnerability earlier in May and released a fix. The Financial Times reported in May that the bug was used to implant spyware developed by NSO, citing an unnamed surveillance software maker as its source.
Do you know all about security? Try our quiz!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…