Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/17/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook Fixes WhatsApp Group Chat Security Issue

Flaw allowed attackers to repeatedly crash group chat and force users to uninstall and reinstall app, Check Point says.

Facebook has fixed a bug in its WhatsApp chat platform that gave attackers a way to send a malicious group-chat message capable of repeatedly crashing the entire application for all members of a targeted chat group.

To regain access to the application, the victim would have had to uninstall and reinstall WhatsApp. Without re-installation, the user couldn't return to the chat group because the app would repeatedly crash with each attempt.

The targeted group itself would have to be deleted and restarted, resulting in a complete loss of group chat history, Check Point said.

"The crash-loop is a killing of the app that is unstoppable," says Ekram Ahmed, head of public relations at Check Point. "In the first cycle, the app is crashed. Then the user tries to regenerate the app. The app crashes again without any warning. It's a consistent loop that crashes the app - on and on," he says.

This is the second time in recent months that Check Point has identified an issue in WhatsApp. At Black Hat USA this August, researchers from the company showed how an attacker could intercept and manipulate WhatsApp messages in an individual or group setting to spread fake news and create other problems.  

Check Point researchers used a Web-debugging tool to intercept and decrypt the communication that happens between WhatsApp and WhatsApp Web when a user launches the desktop version of the app. By replacing some of the parameters in that communication, the researchers showed how they could change the content of chat messages and impersonate others.

At the time, Facebook described the issue as having nothing to do with the security of the end-to-end encryption on its messaging platform. The company has instead said the issue is similar to someone altering the contents of an email message. More than 500 million people worldwide on average are active on WhatsApp daily, according to Statista.

The latest — and now patched — exploit involves the same communication between the mobile and Web version of WhatsApp. In this case, the researchers found that by examining and manipulating one specific message parameter containing a message sender's phone number, they could cause the app to crash for all members in a chat group.

An attacker would first need to gain access to a target group and assume the identity of a group member, which in this case could be accomplished by manipulating the message parameter containing the user's phone number, Ahmed says. WhatsApp allows for up to 256 members to be part of a single group.

The attacker could then edit other specific message parameters and create a malicious message that is sent to all members in a targeted group, causing the crash-loop.

Check Point reported the issue to WhatsApp's bug bounty program in August and the issue was quickly resolved, the security vendor said. A fix for the flaw is available in WhatsApp version 2.19.58 and users should manually apply it as soon as possible, Check Point advised.

Erich Kron, security awareness advocate at KnowBe4, said that while the bug is destructive and inconvenient, it at least does not enable the content of conversations or personal data to be exposed. Apple Store currently does not have the new fixed version of WhatsApp available for download, he noted, but users should keep checking and apply the patch as soon as it becomes available.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...