WhatsApp Bug Can Wipe Out Group Chats, Warns Check Point

Researchers at security specialist Check Point Software Technologies have uncovered a bug in WhatsApp that is so serious it can permanently wipe out a group chat.

The vulnerability is related to, according to Check Point, “a manipulation of the WhatsApp protocol using a tool built by Check Point Research in order to validate WhatsApp security without jeopardizing WhatsApp end to end encryption.”

It seems this tool “allows a user to modify WhatsApp messages before being sent and change the general parameters, such as participant’s phone number.”

Group chats

According to Check Point, the bug was discovered in August 2019 and responsibly reported to WhatsApp. The good news is that its developers fixed the bug in the update for version 2.19.246 and onwards.

Check Point is seems in order to discover any vulnerabilities in WhatsApp, “set up the WhatsApp Manipulation Tool and started testing new ways to manipulate WhatsApp protocol.”

During its testing, it found a technique that “where one can crash WhatsApp on multiple phones in a shared group.”

Check Point found that it could “start decrypting and modifying messages in a conversation where we participate.”

The bug itself reportedly resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging.

Its WhatsApp tool was able to edit the parameter participant to identify who sent the message.

“In order to exploit this bug we would need to replace the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘c@s.whatsapp.net’,” said the Check Point researchers. “By sending this message WhatsApp application will crash in every phone that is a member of this group.”

“The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop,” the warned. “Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”

“In WhatsApp there are many important groups with valuable content,” Check Poinit said. “If an attacker uses this technique and crashes one of these groups all chat history will be gone and further communication would be impossible.”

“The impact of this vulnerability is potentially tremendous, since WhatsApp is the main communication service for many people,” they said. “Thus, the bug compromises the availability of the app which is a crucial for our daily activities.”

The only way to recover from the issue is to uninstall WhatsApp, install it again, and remove the group which contains the malicious payload.

Check Point produced the following proof of concept video, found here.

App security

As WhatsApp is now a hugely popular messaging app, the importance of its security remains a serious issue for many people.

This was evidenced in October, when WhatsApp sued Israel-based NSO Group, and alleged it was behind the cyberattack earlier this year that infected devices with advanced surveillance tools.

In May 2019, WhatsApp urged all of its 1.5 billion users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.

The Facebook-owned company discovered the vulnerability earlier in May and released a fix. The Financial Times reported in May that the bug was used to implant spyware developed by NSO, citing an unnamed surveillance software maker as its source.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

12 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

13 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

14 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

15 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

18 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

19 hours ago