After joining a group chat, a user could edit specific message parameters using the WhatsApp web interface and a browser debugging tool. Then they could create an "unstoppable crash-loop for all group chat members" which could only be fixed by uninstalling and reinstalling the app. The exploit would prevent members from returning to the group and and also lose all history of the chat.
This follows another WhatsApp vulnerability discovered by Check Point last year. The FakesApp vulnerability, as it is known, allowed people to manipulate messages in group chats to make it appear as if other users had said things they had not. This worked by manipulating the parameters used by the WhatsApp web interface to fake the apparent sender of a message.
After finding the latest defect, Check Point disclosed the problem to WhatsApp in August as part of a bug bounty program. WhatsApp patched the issue in September with version 2.19.58, so take this as a reminder to keep your apps up to date.
Confirming the patch, WhatsApp Software Engineer Ehren Kret said: "WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together."