WhatsApp has witnessed several security issues since the beginning of 2019. With stories such as battles with governments, multiple vulnerabilities, hacking campaigns, etc., doing rounds every now and then. And now, just as the year is about to end, there’s yet another security threat looming at WhatsApp.
This time is from specially crafted “app killing” messages that crash WhatsApp severely such that users are taken offline and may find it difficult to return.
Who is at risk?
In September, WhatsApp did patch up the issue after it was first disclosed by cyber-security researchers at Check Point. However, if you have not installed before the patch up, you remain at risk.
Check Point has requested all WhatsApp users to update to the latest version of the app. WhatsApp, however, maintains that the threat is obscure and less likely to impact users in the real world. However, the issue needs to be taken care of as it carries a potential of high risk.
Let’s understand why the case is so complicated.
The threat relies on two different security vulnerabilities, both of which have been patched. The first is that a user can be added to a group without asking for his consent. The user receives a message that he has been added to the group. Second is that the metadata built into the message breaks the WhatsApp phone app when the message is received. When both these vulnerabilities are combined, you can have a frightening new attack vector.
How can one exploit such a vulnerability?
If you have phone numbers of a group of reporters or activists, you can add those numbers to a group and then send an “app killing” message. Although this appears harmless, the moment the message is opened WhatsApp will crash. It will fail to restart until it is deleted and reinstalled. So, if users do not have backups, they will lose their data.
Such an attack can be tailored just before a protest or political event or it could take an individual or group of people offline.
Oded Vanunu, Check Point researcher stated that though Whatsapp has seen “denial of service” previously, the ‘app killing’ message is devastating. Users who do not back-up will lose everything. Also, non-technical users will not be able to activate Whatsapp again.
A WhatsApp spokesperson stated that issues for all WhatsApp app were resolved in mid-September. In fact, WhatsApp has even added new controls that prevent people from being added to unwanted groups and avoid communication with unknown parties completely.
WhatsApp probably isn’t aware or won’t share the percentage of its user base that has shifted to patched versions of its apps. The issue has affected Android than iOS. However, it is best that users up-date all their messaging platforms regularly.
The issue also affects groups to a large extent to groups. Most of us are a part of several groups and many of the groups have changing memberships. Therefore, it is worth being mindful of the groups you are not aware of or no longer use, how the groups are administered and even check the membership lists on a regular basis.
How does it work?
Watch Check Point’s proof of concept video and messaging screenshot below.
As WhatsApp fails to process data, it crashes, affecting all the group members. There is no way out and the app must be reinstalled.
Check Point reveals that by sending the message, the WhatsApp app will crash in every phone that is a member of the group. Its effects are so bad that the crash will repeat every time the app is reopened. It forces all the users to delete the app and reinstall it.
This isn’t the first time for WhatsApp. Earlier this year, it witnessed alleged hacking of dissidents and activists by Israeli spyware firm NSO. In October, WhatsApp flaw allowed an attacker to use a “malicious GIF” to access user content. However, WhatsApp patched the issue quickly. In November, Facebook quietly confirmed that a security issue could risk users of malware being planted on their devices through “specially crafted MP4” files sent via WhatsApp. However, the issue was resolved before any damage could be done.
While both Facebook and WhatsApp team take security seriously, the platform's issues are not unique. Though its rival Telegram and standard SMS have also been exposed to attacks, it is WhatsApp that has become the mass-market security standard bearer and that is why it gets really difficult for the app.