A flaw enabling malicious actors to permanently crash group chats on popular messaging platform WhatsApp Messenger was revealed by researchers at Israeli cybersecurity company Check Point Software Technologies on Tuesday. The vulnerability, discovered by the company’s threat intelligence arm Check Point Research, allowed attackers to deliver a malicious chat message that would crash the smartphone app for all group members. To regain use of the app, users would need to uninstall and reinstall it, and permanently delete the group containing the message. WhatsApp, a subsidiary of Facebook, has 1.5 billion users and over one billion groups – which can each contain up to 256 users. More than 65 billion messages are sent daily via the free platform. Malicious actors seeking to target WhatsApp would need to be a member of the target group. To permanently crash the group, attackers needed to use WhatsApp Web and their web browser’s debugging tool to edit specific message parameters and send the edited text to the group, causing a crash loop for members and denying access to all WhatsApp functions. “Because WhatsApp is one of the world’s leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors,” said Check Point Head of Product Vulnerability Research Oded Vanunu. “All WhatsApp users should update to the latest version of the app to protect themselves against this possible attack.” Researchers identified the vulnerability by inspecting communications between WhatsApp and WhatsApp Web, the desktop version of the platform which mirrors messages sent and received from the user’s phone. The communications enabled researchers to track parameters used by the app and manipulate them. Check Point said its findings were disclosed on August 28 to WhatsApp, which quickly developed a fix to resolve the issue. “WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally,” said WhatsApp engineering manager Ehren Kret. “Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.” In November, WhatsApp rolled out a new privacy setting enabling users to decide who can add them to groups. Rather than being automatically added to groups, users can opt to receive a private invite through an individual chat, giving the choice of whether or not to join.
Source
Comments are closed.