Facebook owned instant messaging major WhatsApp has fixed a bug that could have allowed attackers to deliver a malicious group message leading to repeatedly crash of the app for all the members of the group, a report by security firm Check Point Research has revealed.
The bug, which was discovered as early as in August 2019, is said to have the potential to cause a crash loop that could only be fixed by completely uninstalling and reinstalling the app. Even after reinstalling, some of the users wouldn’t be able to return to the affected group leading to loss of all the messages and media content exchanged in that particular group, Check Point added.
According to a blog post by the company detailing the bug, the attackers would need to be a member of the target WhatsApp group to impact its other members. WhatsApp currently has a limit of 256 members for its groups. It has a multiplying effect for the users to lose data.
After gaining membership, the hacker would need to use WhatsApp Web and debugging tool such as Google Chrome’s DevTools to edit specific message parameters that initiates the crash loop for all group members.
The bug was found by Check Point Research after inspecting the communications between WhatsApp and WhatsApp Web functionality. The researchers were able to replicate the parameters used for WhatsApp to communications that could cause crashes in a loop.
While the affected users would be able to fix the crash loop by reinstalling WhatsApp on their smartphones, the bug forces them to delete the group that removes all its messages and media.
After Check Point revealed its findings to the WhatsApp bug bounty programme this August, the company updates to fix the issue. WhatsApp has asked users — especially those who haven’t updated WhatsApp since the middle of September — to download the latest version to prevent abuse of this security flaw.
It may be mentioned here that the latest fix comes weeks after WhatsApp was found to include an MP4 file security flaw that could be used to trigger remote code execution (RCE) or denial-of-service (DDoS) attacks. The company, back in September, also fixed a bug that could let attackers steal user data directly through a malicious GIF file.
This messaging app has a strong user base of more than 1.5 billion users across the globe with well over 40 crore of them in India.