Another flaw has been found in the Facebook-owned WhatsApp, just days after the reveal of a video issue that enabled remote code execution. Thankfully, this one is unlikely to lead to malware installation and has already been fixed.
If exploited, however, it could have proved extremely annoying. By using WhatsApp Web, its WhatsApp Manipulation Tool, and a Python server, Check Point Research was able to crash the app for all participants in a group conversation.
Further, it was able to put WhatsApp into a crash loop on those devices via a Null Pointer Exception, modifying a participant's phone number to a non-supported one. The crash loop can only be resolved if a user clears their app cache or reinstalls, and the chat history must be wiped for the app to resume functioning. This means attackers could have potentially deleted important data from a WhatsApp group.
“The impact of this vulnerability is potentially tremendous, since WhatsApp is the main communication service for many people,” said Check Point. “Thus, the bug compromises the availability of the app which is a crucial for our daily activities.”
Those with version 2.19.246 and higher should be safe from the bug, which was discovered in August 2019. Needless to say, we're thankful that researchers found this before it caused any real damage.
Still, the volume of WhatsApp vulnerabilities discovered towards this year is concerning. As well as video files, an RCE flaw was found in GIF files in October, and one in May let attackers deploy spyware via unanswered video calls.
It adds another factor when it comes to calls for splitting up Facebook's social media empire. Should it combine the backends of Messenger, WhatsApp, and Instagram chat as planned, poor security could mean a single flaw brings users' entire communications network to the ground.