A WhatsApp security flaw could have been exploited by hackers to create ‘mass chaos,’ say researchers

This past summer, security researchers found a security flaw in WhatsApp’s video chat function, which Israeli cyber arms firm NSO Group reportedly tried exploiting to infect iPhones with its Pegasus spyware. WhatsApp quickly patched the security hole, but another surfaced in recent months. Cybersecurity researchers at Check Point Software announced today that they detected a serious WhatsApp “defect” in group chat messages, which a malicious actor could have exploited to target users.

While crashing a group chat might seem rather tame compared to NSO Group’s Pegasus exploit for WhatsApp, which allowed it to take over a user’s entire phone, this recent exploit could have proven problematic. Malicious actors could have gained access to chat messages and related content such as audio, video, photos, and the users’ phone contacts. This could have created “mass chaos,” per the researchers. Possible targets of such an exploit could have included activists, dissidents, civil and digital rights lawyers, businesses, or even government officials. (WhatsApp, which is owned by Facebook, is popular among such users, as it features the end-to-end encryption technology of the Signal encrypted messaging platform.)

While WhatsApp’s messages are most often one-to-one communications, many of the app’s 1.5 billion users make use of its group chat functionality. With its new WhatsApp Manipulation Tool, Check Point recently began testing for new ways to manipulate the WhatsApp protocol.

Typically, when a user sends a message to a WhatsApp group, the app undergoes a process to identify the sender. Using its tool, Check Point was able to access this function and edit it, so that the entire message vanished for all participants, along with the entire chat history. Thereafter, each time users would have attempted to re-access the group chat, WhatsApp would have crashed. To stop this “crash loop,” users would have been forced to uninstall WhatsApp and reinstall it.

Ekram Ahmed of Check Point tells Fast Company that its new report grew out of company tests, which built upon its previous research into WhatsApp. It was during this previous round of research that Check Point created its tool for manipulating WhatsApp messages.

“Our research team always looks for new vulnerabilities in popular technologies,” says Ahmed. “Since WhatsApp is one of the most popular messaging applications in the world, it was clear to us that we had to take a deeper dive.”

Ahmed said it’s possible that a similar malicious exploit has been used to crash WhatsApp group chats, but he cannot say for sure. Check Point is now in the process of retroactively looking for traces of it in the wild.

“We believe we’ve prevented a potential act of cyber terrorism,” says Ahmed. “With over 1.5 billion users of WhatsApp globally, a bad actor could put down the central communication channels of millions of people in one fell swoop. We had to act very quickly. Facebook saw the seriousness of the issue and made moves overnight to address the situation.”

In a statement, WhatsApp software engineer Ehren Kret explained how the company handled the situation: “WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties altogether.”

A WhatsApp representative told Fast Company that Check Point demonstrated to them how an attacker could create and deliver special malicious messages to a group that would crash the app for recipients. The malicious message, according to the spokesperson, included data that the WhatsApp application did not understand how to process, which resulted in the app crash loops. WhatsApp considered the patched flaw to have been more of a bug than a great security vulnerability.

“This bug did not allow for remote commands to be executed on the device,” the spokesperson said. “The app crashed rather than running unwanted commands.”

This story has been updated.