A report issued by Check Point Research on Tuesday revealed that WhatsApp has fixed an error that may allow attackers to send a malicious group message to repeatedly block the app for all group members. The bug, which was discovered in August, is said to have the potential to cause a blocking cycle that can only be solved by uninstalling the app and completely reinstalling it. Even after reinstallation, users were unable to return to the affected group, and therefore lost all messages and media content exchanged in this particular group.
According to the Check Point Research blog detailing the error, the attacker would need to be a member of the WhatsApp target group to influence its other members. The instant messaging app has 256 members per group, and it’s not so small that it leaves room for a bad actor.
Once they become a member, the bad actor will need to use WhatsApp Web and a correction tool like Google Chrome DevTools to edit specific message parameters that will cause the blocking loop for all group members.
The error was found by the Check Point Research team after checking connections between WhatsApp and WhatsApp Web. Researchers were able to deal with the parameters used in WhatsApp connections that can cause frequent crashes. In addition, the technical details of the error have been posted to the blog post.
While affected users can correct the blocking cycle by reinstalling WhatsApp on their device, the error forces them to remove the group that removes all messages and multimedia content.
“Since WhatsApp is one of the world’s major communication channels for consumers, businesses, and government agencies, the ability to prevent people from using WhatsApp and eliminate valuable information from group chats is a powerful weapon for bad actors,” said Oded Vanunu, head of the vulnerabilities scan division at Products Check Point, in a press release.
Check Point Research revealed its findings of the WhatsApp Bug Rewards program on August 28. WhatsApp fixed the error as of Android version 2.19.58. Additionally, users, especially those who haven’t updated WhatsApp since mid-September, are recommended to download the latest version to avoid failures through harmful group messages.
“WhatsApp highly appreciates the work of the technology community to help us maintain strong safety for our users all over the world,” said Ehren Crete, WhatsApp Software Engineer. “Thanks to the responsible submission of Check Point to the Bug Rewards program, we quickly resolved this issue for all WhatsApp apps in mid-September. We recently added new controls to prevent people from being added to unwanted groups to avoid communicating with all untrustworthy parties.”
The final solution comes weeks after WhatsApp has detected a vulnerability in the MP4 file that can be used to trigger remote code execution (RCE) or denial of service (DoS) attacks. The app owned by Facebook also in September corrected an error that could allow attackers to steal user data directly through a malicious GIF file.
WhatsApp has a solid base for more than 1.5 billion users worldwide, with more than 400 million users in India alone. This provides an important reason for researchers to search for and search for new vulnerabilities.