Imagine sharing important and sensitive information via a group chat, only to have all of it deleted forever. That's what could have happened had the messaging app, WhatsApp, not cleared a vulnerability.
The bug only works in this way in group chats, all just by sending one message and the app crashes for all members in the conversation.
CheckPoint experts reported the flaw when it arose in August, which prompted WhatsApp to fix the issue in their latest 2.19.246 version.
How would one WhatsApp message crash the app?
According to the CheckPoint report, malicious actors could modify messages to their advantage, using it as a tool to access the messenger and create a crash-loop.
Just by sending one message to a group chat would lead to WhatsApp crashing for all members of that chat. Upon trying to reinstall the app, all previous conversations in that chat would disappear for those members.
WhatsApp crashes when the specific malicious message from an invalid phone number with modified parameters is sent to a group chat.
CheckPoint experts stated, "By sending this message WhatsApp application will crash in every phone that is a member of this group. The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop."
It continued, "Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash."
How would hackers create the malicious message?
WhatsApp Web, a web browser debugging tool, and an open-source WhatsApp manipulation tool have to be used in order for users to decrypt and re-encrypt their communication using encryption keys of their own.
WhatsApp Bug Can Let Hackers Crash App, Delete Chats: Why You Should Updatehttps://t.co/8ykPoC489V— Gadgets 360 (@Gadgets360) December 17, 2019
However, to be able to carry out the attack successfully, the third-party has to be part of the group chat.
Then, the phone number of the person sending the malicious message changes into an invalid non-digit number: firstname.lastname@example.org.
Because of this change, no one can then delete the 'number', and all members of the chat end up in a crash-loop cycle, which only ends once the members delete the app and reinstall it.
Worryingly, it sounds easy enough to create this message. However, now that WhatsApp has updated its newest version, this is no longer an issue.
Given the messaging app is used by roughly 1.5 billion people worldwide, it's a good thing the matter was patched up quickly.