WhatsApp fixes security vulnerability that could have been used to fully delete group chat data
A new WhatsApp bug allows other people to send malicious messages in group chats and crash the app for all members of the conversation. CheckPoint experts report that the security flaw was discovered back at the end of August, and findings were provided to the developers, who consequently fixed the issue in the latest 2.19.246 version. According to the statement, by exploiting the vulnerability, threat actors could modify messages to their advantage and use it as a tool to get access to the messenger and cause crash-loop.
Sending one maliciously infected message to the targeted group chat triggers the destruction of WhatsApp, and all members of the chat have to reinstall their applications, consequently deleting the contents of the conversation. The flaw exists in the WhatsApps communication protocol and causes WhatsApp to crash when the message from an invalid phone number with modified parameters is sent to the group chat.
The report from the research team at CheckPoint states:
By sending this message WhatsApp application will crash in every phone that is a member of this group. The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop. Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.
For the flaw to work, hackers need to employ WhatsApp Web and WhatsApp Manipulation tools
A third-party that wants to access data in the group chat leverages WhatsApp Web and web browser debugging tool and open-source WhatsApp manipulation tool that CheckPoint released a year ago – it allows users to decrypt and re-encrypt their communication using encryption keys of their own. To perform the attack successfully, malicious actors have to be members of the chat group, however.
The simple parameter replacement allows the hacker to trigger a never-ending crash. The phone number of the initial sender gets changed to email@example.com – an invalid non-digit phone number. Because the received message changes a phone number into an invalid one and nobody can delete it, the members enter a crash-loop, which does not stop until WhatsApp is reinstalled altogether (i.e., group chat is left with no members). Consequently, all the previously accessible information will be eliminated and can no longer be accessed.
As Checkpoint researchers say, there are several ways to malicious actors could exploit the flaw for their advantage, deleting valuable information from existence:
In WhatsApp there are many important groups with valuable content. If an attacker uses this technique and crashes one of these groups all chat history will be gone and further communication would be impossible.
The impact of this vulnerability is potentially tremendous, since WhatsApp is the main communication service for many people. Thus, the bug compromises the availability of the app which is a crucial for our daily activities.
A year after the latest news regarding WhatsApp vulnerabilities
The encrypted chat app is not flawless, as numerous vulnerabilities were found in WhatsApp before. In summer, another security flaw was found in the video chat function that was exploited to infect iPhones with spyware like Pegasus. The bug allowed attackers to access chat messages and other content like audio, video, photos, and contacts. Particular targets of such campaigns involved civil and digital rights lawyers, government officials, and activists.
This issue was also quickly patched, but CheckPoint discovered another flaw in a few months, and even though the group chats flaw was patched rather quickly, researchers note that people need to update their applications to the latest version to protect themselves against attacks. While it may seem not as important, the ability to delete valuable information from conversations might be a powerful weapon, especially when with more than 1.5 billion users all over the world.