Latest in Gear

Image credit:

WhatsApp exploit let one message render the app unusable for entire groups

The issue has been patched, so remember to update your apps.

Sponsored Links

SOPA Images via Getty Images

WhatsApp may be one of the most popular messaging apps, but it has had its share of security issues. Security research group Check Point Research today announced the existence of another one, having recently uncovered a defect through which a single malicious user could crash the apps of all members of a group chat.

After joining a group chat, a user could edit specific message parameters using the WhatsApp web interface and a browser debugging tool. Then they could create an "unstoppable crash-loop for all group chat members" which could only be fixed by uninstalling and reinstalling the app. The exploit would prevent members from returning to the group and and also lose all history of the chat.

This follows another WhatsApp vulnerability discovered by Check Point last year. The FakesApp vulnerability, as it is known, allowed people to manipulate messages in group chats to make it appear as if other users had said things they had not. This worked by manipulating the parameters used by the WhatsApp web interface to fake the apparent sender of a message.

After finding the latest defect, Check Point disclosed the problem to WhatsApp in August as part of a bug bounty program. WhatsApp patched the issue in September with version 2.19.58, so take this as a reminder to keep your apps up to date.

Confirming the patch, WhatsApp Software Engineer Ehren Kret said: "WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

FCC will require phone carriers to authenticate calls by June 2021

FCC will require phone carriers to authenticate calls by June 2021

View
SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

View
Apex's electric supercar includes an AR race coach and partial self-driving

Apex's electric supercar includes an AR race coach and partial self-driving

View
Ubisoft offers free games to encourage you to stay at home

Ubisoft offers free games to encourage you to stay at home

View
Accidental cross-play makes Star Wars 'Jedi Academy' a console bloodbath

Accidental cross-play makes Star Wars 'Jedi Academy' a console bloodbath

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr