WhatsApp has recently patched a new bug that can crash WhatsApp of at most 256 people at once. Simply by sending a group message, malicious group members can crash the WhatsApp of all group members in a loop.
Researchers at Check Point Research found this vulnerability that a potential attacker can trigger a destructive WhatsApp loop by sending the special message in the group. WhatsApp crashing on iPhone and Android can be done with this bug.
When a group member with an invalid phone number sends a message in the group, WhatsApp throws a null pointer exception that leads to the crash. The group members need to open the group to read the message result in a crash. Users need to delete that particular group to use WhatsApp later on.
Researchers used WhatsApp Web, Chrome’s Dev Tools, and Burp Suite to create the indefinite crash loop.
The bug resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging. When we attempt to send a message where the parameter “participant” receives a value of “null” a ‘Null Pointer Exception’ is thrown.
Researchers, Check Point Research
The bug has been patched in version 2.19.246 and onwards. As WhatsApp is critical today, such a bug can destroy the entire conversation of the group.
Because WhatsApp is one of the world’s leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors.
Oded Vanunu, Check Point’s Head of Product Vulnerability Research
