So what do you do when your favorite IM app decides to pull the ‘Read Receipts’ feature on you? If you’re a security researcher, you figure out how to crash it for others. WhatsApp may have added the ability to turn that feature off, but a group of security research students in India have demonstrated how a simple text message can be used to crash the app at the receiver’s end, pretty much ending the “message seen” dramas.
Indarjeet Bhuyan and Saurav Kar demonstrated the crash by exploiting a vulnerability found in the WhatsApp’s Message Handler. Apparently 2,000 words, or more precisely, a message containing 2,000 special characters (roughly 2KB in size), can crash any WhatsApp messenger app it is sent to.
A similar discovery was made prior to this demonstration, where a gigantic 7MB message could bring the receiver’s app to its knees, with occasional OS freezes as well. Similar to that, this new vulnerability once exploited, is not a one-time deal, and the app will continue to crash every time a user attempts at opening the conversation thread. So what do you do if someone does decide to pull this annoying prank on you? You delete the entire conversation thread.
Singling out the deletion of an entire conversation as the only viable option to get your WhatsApp working again paves the way for users to forcefully delete their chat history on someone else’s device, given the lack of choice for the receiver, and well, the lack of any Snapchat-like abilities for the sender. Luckily – or unluckily, if you had some plans – WhatsApp automatically backs up your entire conversations, however it’s not backed up by the minute or hour.
The exploit even works for group chats, forcing participants to exit the thread. And the exploit seems to be working on most versions of the Android OS, including Jelly Bean, KitKat and below as tested by the duo. It is yet to be tested on the iOS version of WhatsApp, but given the earlier 7MB message fiasco holding true for Android and iOS, it may affect Apple’s mobile OS as well, but there are reports that it does not affect the platform at all. Similarly, the Windows Phone 8.1 version of the app remains unaffected too.
If this exploit catches on, we’re likely looking at around 500 million users who could be affected by this vulnerability unless WhatsApp patches it up in haste.