Pranksters rejoice!
A security researcher has revealed a way you can crash another user’s WhatsApp by sending them a single message.
18-year-old Indrajeet Bhuyan is no stranger to finding flaws in the WhatsApp messenger app, having last year discovered a way to create a specially crafted message that crashes the app every time it is opened, and forcing recipients to delete the entire message thread.
WhatsApp fixed that flaw, but is now shown to be vulnerable to another flaw along similar lines that Bhuyan has uncovered.
In a blog post, Bhuyan describes that over one billion WhatsApp users around the world are running the risk of receiving a message containing approximately 6000 emojis.
And that number of smiley faces is, apparently enough to either crash the desktop or Android version of WhatsApp, and cause the iOS version to freeze for some seconds.
Why would someone want to send another WhatsApp user an emoji bomb? Well, aside from childish pranks, Bhuyan offers the scenario of online bullies or extortionists, who might want to send an abusive message to their intended target but then prevent the conversation from being shown to other parties.
A YouTube video made by Bhuyan demonstrates how an attacker could cause a remote victim’s WhatsApp account to crash.
Typing quite so many emojis may put many of us off the idea of experimenting with this bug, but it’s not hard to imagine a determined malicious attacker using cut-and-paste to rapidly build a long enough message.
Although some may be tempted to think this isn’t a serious bug, I would argue that it suggests that WhatsApp’s developers aren’t doing enough to ensure that they have coded their messaging app securely. Proper systematic testing should have found the flaw, which sounds like a failure to conduct proper input validation – preventing users from entering so many emoji characters that would ultimately cause a buffer overflow.
Bhuyan says he has reported the flaw to WhatsApp, and is hopeful that they will fix it in their next version.
In the meantime, go easy on the smiley faces you send to friends and loved ones this Christmas.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all posts