Check Point discussed a series of chat manipulations they were capable of per-forming on the service by decrypting the communication between the mobile and web versions of the WhatsApp app. They presented three manipulations at the BlackHat 2019 conference and WhatsApp has had some of those vulnerabilities patched. Their continued research into the app has revealed a critical flaw in how WhatsApp responds to unexpected inputs in the phone number parameter.
The Check Point team was able to modify the contents of the phone number parameter to something beyond the allowable 5-20 numerical character range. A malicious actor can modify it into any non-numerical character, then send a message to a group in which the malicious actor is already participating to crash the Application for all the participants of the group. The app would then enter a crash loop being unable to be reopened until the user deletes the offending message and group.
The group is thus forever lost and all historic data within those communications are lost. Check Point’s head of product vulnerability research also points out that a malicious actor could send out a timed phishing message directly or shortly after the malicious message crashes the victim’s WhatsApp application. An unwary user might be more susceptible to a timely sms or email message requesting personal or sensitive information in hopes of repairing their app.
WhatsApp Engineer, Ehren Kret, claims in a statement to WIRED that the issue has been patched since mid-September and that there are additional controls to maintain the security of group chats.
How do you know whether a product will still be a joy to work with after your honeymoon period as a customer is over?