Check Point Software, a multinational cybersecurity firm revealed a potentially calamitous, although old, bug in the Facebook-owned messaging service WhatsApp on Tuesday.
News of the bug came in a report which dubbed it the “WhatsApp Crash and Data Loss Bug”. As the name suggests, the bug caused the service to crash with the added loss of data.
However, the bug could only infect users if they were a part of a group chat.
How it Worked
The report illustrates in detail how a hacker or cybercriminal could utilize the bug.
First and foremost, because the bug only affected group chats, the hacker would have to be a part of the chat they were aiming to infect.
Once a part of the group, the hacker could plant the bug in a text message by using the web version of WhatsApp. But to breach text messages, the hacker would need to use a decryption tool due to the encryption placed on each text sent on WhatsApp.
Once the text reached the group, any member who opened it would encounter a crash loop, i.e., their app would crash again and again on opening.
To fix the crash loop, the user would’ve had to uninstall and reinstall WhatsApp and leave the group.
This posed two problems, the first being the likelihood of users arriving at this solution being low. However, the second more detrimental consequence would be the irretrievable loss of all data from the infected group.
Since WhatsApp is a widely used service, with over 1500 million users worldwide utilizing the service for various reasons, from business communication to personal communication, any loss of data could have grave implications.
This bug, discovered in August, is tied to another bug Check Point discovered around the same time. The related bug allowed users to change the content of someone else’s reply on a group, send a private message falsely appearing to be a public message and change the identity of the message sender.
Prompt Action by WhatsApp Urging Users to Update
On being notified of the bug by Check Point as part of WhatsApp’s bug bounty program, the messaging service quickly tackled the problem.
As of September 2019, the bug seems to be fixed. Thus, whoever uses version 2.19.58 or above, is free of threat from the Crash and Data Loss Bug. However, those who last updated their apps before mid-September are still at risk.
Due to its large and versatile user base and utility, it cannot afford to have such bugs. However, no systems are free of errors and security bugs have plagued the service from time to time.
A research released by Symantec in July 2019 highlighted the vulnerability of WhatsApp media to get infected by bugs in the time it takes for them to get downloaded and saved on a device.
More recently, WhatsApp announced the unavailability of the service on very old smartphone OS, limiting its accessibility to people who use “incompatible” phone models after February 2020. The rule applies to both android and iPhone OS.