Chat history and user groups are affected

Dec 3, 2014 21:22 GMT  ·  By

Leveraging a flaw in the WhatsApp cross-platform messaging solution, attackers could force users to delete the conversation history with their contacts, two young security researchers claim.

The exploit consists in sending the target a specially crafted message that crashes the app each time the user tries to open it. The only way to be able to use WhatsApp is to delete the conversation thread, according to 17-year-olds Indrajeet Bhuyan and Saurav Kar, the duo assuming credit for the discovery.

WhatsApp groups are also affected by the bug

Bhuyan said via email that an issue with the same outcome was discovered in the past, where someone had to deliver a 7MB-large message to crash the app.

However, the duo says that the bug they found does not require the message to be this large and only 2KB of text containing special characters is enough to crash the app; this is still plenty of characters though.

WhatsApp also supports groups, which allows sending the same message to multiple people. If a malicious text is sent to the entire group, every member is affected and they would have to leave the group.

This may not be a simple matter to deal with, considering that many people use WhatsApp for more than just casual conversations. Even if the thread is backed up, it still includes the crashing message, and upon restoration, the same issue emerges.

As such, until a fix is provided, the entire message history has to be deleted in order to be able to use the app as intended by the developer.

The glitch is not present on all platforms

The teenagers said that the vulnerability was tested on the Android version of the app, on devices running JellyBean and KitKat. They also tried to reproduce the bug on a Windows 8.1 device, but WhatsApp behaved normally.

As far as the versions of the software behaving this way are concerned, it appears that versions 2.11.431 and 2.11.432 are affected.

As per Google Play information, the app has been downloaded more than 500 million times, and it received an update on Wednesday. Some miscellaneous bugs have been fixed and improvements have been added, but the developer does not mention if this glitch has been eliminated.

To prove their discovery, the two created a video where WhatsApp crashes every time the recipient of the large message tries to open the conversation. The video can be watched below.

Recently, WhatsApp added end-to-end encryption on Android by collaborating with Open Whisper Systems, an open-source project whose goal is to help make communication more private and more secure.

WhatsApp crash (8 Images)

2KB-large messages with special characters cause WhatsApp to crash
Restoring the functionality of WhatsApp is done by deleting the chat historyMenu for deleting conversation containing the app crashing message
+5more