Israeli researchers from cybersecurity firm Check Point unveiled this week that they discovered a breach in popular messaging app WhatsApp – owned by Facebook – that would allow hackers to obstruct member access to group chats by delivering a malicious message that would cause a crash loop. Even after reopening, users would not be able to access the affected group and all the data in that particular group would be lost since it cannot be restored. The only way to regain access would be to delete and then reinstall WhatsApp.
According to a Check Point Research post published on Tuesday, the bug was discovered in August 2019 and reported to WhatsApp which has since fixed it in version 2.19.58 and beyond.
SEE ALSO: Facebook, WhatsApp Sue Israeli Cyber Intel Firm NSO Group Over Alleged Hacking Attack
The researchers said that to create the malicious message that would impact a WhatsApp group, the attacker would need to be a member of the target group and since WhatsApp allows up to 256 users per group, one or more could make their way in. From there, the bad actor would need to use WhatsApp Web, the web version of the app, and their web browser’s debugging tool to edit specific message parameters and send the edited text to the group. This edited message would cause a crash loop for group members, denying users access to all WhatsApp functions until they reinstall WhatsApp and delete the group with the malicious message.
Check Point published technical details of the bug in the post. The research team indicated that the vulnerability was found by inspecting the communications between WhatsApp and WhatsApp Web, which mirrors all messages sent and received from the user’s phone. This enabled researchers to see the parameters used for WhatsApp communications and manipulate them.
The researchers said the impact of this vulnerability is “potentially tremendous, since WhatsApp is the main communication service for many people,” and the bug “compromises the availability of the app which is crucial for daily activities.”
“Because WhatsApp is one of the world’s leading communication channels for consumers, businesses, and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors,” said Oded Vanunu, Check Point’s Head of Product Vulnerability Research, in a press statement.
WhatsApp has over 1.5 billion users in over 80 countries, and more than a billion groups, making it the most popular instant messaging app in the world. Over 65 billion messages are sent on WhatsApp daily and more than two billion minutes of voice and video calls are made, according to a 2018 CNET report.
WhatsApp said it greatly values “the work of the technology community to help us maintain strong security for our users globally,” according to a press statement by WhatsApp Software Engineer Ehren Kret.
“Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties altogether,” added Kret.
Check Point’s latest discovery builds on a previous breach in WhatsApp, uncovered in 2018, that would allow hackers to intercept and modify messages sent in both private and group conversations, which had the potential to spread misinformation, fake news, and scams. Check Point found this flaw by looking at WhatsApp’s encryption process.
The company famously employs end-to-end encryption which ensures that messages, pictures, calls, videos, voice notes and other content can be seen only by the user and the recipient and no one else, not even WhatsApp.
But it has not been immune to hacks. In late October, WhatsApp filed a lawsuit against Israeli cyber intelligence firm NSO Group, accusing it of being behind a malware attack earlier this year that targeted some 1,400 people across the world, including human rights activists and journalists.
WhatsApp said the cyber-espionage campaign was designed to infect the devices of the targets for the purpose of conducting surveillance of specific WhatsApp users. The company accused NSO Group of exploiting a security flaw and targeting users’ mobile phones through WhatsApp’s call function. NSO Group became infamous in recent years for developing a powerful, invasive piece of spyware called Pegasus that can access private data including passwords, web history phone call logs, contact lists, and text messages, and can monitor live calls from messaging apps. It can also turn on phone cameras and microphones to track events in the vicinity and use the GPS function to monitor a target’s location and movements.
Also in October, a researcher found a vulnerability in WhatsApp that would have made it possible for attackers to gain access to files and messages using malicious GIFs.
Related posts
Editors’ & Readers’ Choice: 10 Favorite NoCamels Articles
Forward Facing: What Does The Future Hold For Israeli High-Tech?
Impact Innovation: Israeli Startups That Could Shape Our Future
Facebook comments