WhatsApp, owned by Facebook, has fixed a severe security bug that could let a hacker crash the messaging app in a group chat and make the users use further only after reinstalling.
The attack would prevent users from returning to the group chat. Moreover, it also removes the group chat history.
WhatsApp has patched the issue in September with version 2.19.58. Therefore, if you have not updated WhatsApp for a long time, make sure you are using the latest version.
The security bug
To take advantage of this WhatsApp bug, a hacker needs moderate to high networking and development knowledge. He need to be part of the group chat.
The hacker requires to use WhatsApp for Web and looks for the secret parameter, which he can obtain with penetration testing tools by sniffing the data stream through the network while the QR code is generated.
With that, he needs to set a look in places where the encryption keys are generated using the Chrome Developer Tools and obtain them during the login process.
He also has to use an open-source Python server running that can help him decrypt the secret parameter.
With all the required details gathered, i.e., private key, public key, and secret parameter, and Python server connected with the web browser, he can alter the phone number of group chat members and insert a non-digit character in it. After that, he needs to send one message in the group with the altered phone number, and it will create an infinite loop and causing the app to crash for all group chat members.
Not only once, but it will always execute whenever the user returns to the app, forcing them to uninstall WhatsApp and install again to use it anymore. Following the reinstall, the app will work fine, but group chat contents will be lost.
Here is the PoC video
WhatsApp Software Engineer Ehren Kret has responded on this bug that ‘WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally.’
He further acknowledged the security researcher’s effort saying, ‘Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties altogether.’
Over 1.5 billion users use WhatsApp which is interconnected with other top social networks like Facebook and Instagram. Any flaw, security loophole, vulnerability, or bug can lead to affect a massive amount of users.
You can read the complete details by Check Point here.
Featured image: Check Point