WhatsApp is known for its security owing to the end-to-end encryption it provides for the privacy of its users. With over a billion users worldwide, WhatsApp has become a target for hackers and scammers seeking to exploit the vast user base.
The Disclosure
Check Point Software Technologies Ltd. (Check Point), a leading provider of cybersecurity solutions has found a bug that could let an attacker deliver a specially crafted group chat message that causes a crash of the WhatsApp application for all members of the group chat. Additionally, it also deletes all the chat messages in that group permanently. CheckPoint responsibly disclosed its findings to the WhatsApp bug bounty program on 28th August 2019. WhatsApp acknowledged the findings and developed a fix to resolve the issue in version number 2.19.58.
The Vulnerability
The vulnerability can be exploited by gaining access to the encryption keys and other secret parameters that are shared by WhatsApp servers with a web browser when negotiating a secure connection with WhatsApp Web. All these steps can be achieved by using an intercepting proxy such as Burp Suite. After gaining access to the required details, an attacker could simply replace a group participant’s phone number to any ‘non-digit’ value which is not handled efficiently by the application. This will lead to a complete crash of the entire WhatsApp application for all members of the group chat.
The Impact
The crash is so severe that affected users have to unwillingly reinstall WhatsApp on their devices. In spite of the reinstall, the group chat cannot be restored after the crash occurs and would need to be deleted in order to stop the crash loop, thus causing the loss of all the group’s chat history, indefinitely.
The Patch
WhatsApp thanked Check Point in a statement for reporting the vulnerability through its bug bounty program.
“WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties altogether.”
Ehren Kret, WhatsApp Software Engineer
Such an attack is not only a denial of service attack but also a potential loss of data. Once exploited, the victim would be more focused on their other communication platforms and then the attacker can start sending SMS or email phishing messages while they know the target’s WhatsApp is likely inaccessible. The attacker could even exploit the situation by claiming to be from WhatsApp and promise steps to recover data, to convince their targets to click a malicious link. WhatsApp didn’t see any signs of anyone actually exploiting the bug.