A new security flaw was found in WhatsApp that could have let the hackers to repeatedly crash the app for all members of group chat, which could only be fixed by uninstalling the app and reinstall it.
But even after the application is restored, the users are not able to return to the group, resulting in the loss of all the previous messages and media exchanged in the chat.
This vulnerability in was found by cybersecurity researchers at Check Point who worked with WhatsApp to ensure it can’t be exploited by malicious attackers. The company has fixed the bug later.
The Check Point had made a previous research into how hackers could tamper with WhatsApp, that helped the security analysts to know how WhatsApp messages are communicated and how they can be manipulated.
To launch the application-crashing attack, the attacker has to first attain entry to the WhatsApp group they wish to target, even though only 256 users are allowed per group, this might not prove too difficult.
An attacker should have the hacking ability to browse WhatsApp Web and open Chrome’s DevTools, as well as gaining access to the secret parameters used by the application as part of how group chats operate.
For this legitimate penetration-testing tools must be used. Here, the researchers managed to gain access to WhatsApp traffic and decrypt the secret parameters and turn them into plain text, allowing the attacker to decrypt and modify messages.
The researchers used this technique to alter the identifying phone number of members of the group and replacing it with non-digit characters. It could then crash the application for every member of the group by simply sending a message with this altered number.
When WhatsApp is reopened, it will continue to crash on an infinite loop. This means that the group has to be deleted and WhatsApp needs to be reinstalled for it to work again. This will let the app to be working properly but the group and all of the contents within it are lost forever. If all members of the group reinstall the app, even then any information sent previously is lost.
According to Oded Vanunu, head of products vulnerability research for Check Point stated that this can be a tool for pure vandalism, or to specifically target a group such as political advisors or company executives to disrupt their communications. Once the chat group has been attacked using this flaw, all data in that group chat is lost permanently.
Researchers reported their findings to the WhatsApp bug bounty program in August which was acknowledged by the company and it was fixed with the release of WhatsApp version number 2.19.58 in September. Those users who have not updated WhatsApp since September must download the latest version to prevent being attacked in this way.