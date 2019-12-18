Researchers at Check Point Research recently identified a vulnerability in the Facebook-owned instant messaging platform WhatsApp that would allow attacker to create a malicious group message to crash the app for all members of the group.

WhatsApp allows up to 256 participants in a single group and to create the malicious message the hacker would need to be a member of the target group. Furthermore, by using the WhatsApp Web, the web version of the chat app and debugging tool like Chrome's DevTools, the threat vector would edit specific message parameters and forward it to the group which would cause a crash loop for group members, denying users access to all WhatsApp functions until they uninstall and reinstall the app and then delete the group containing the malicious message.

Because WhatsApp is one of the world's leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors. All WhatsApp users should update to the latest version of the app to protect themselves against this possible attack. Oded Vanunu, Check Point's Head of Product Vulnerability Research

The findings of the report were disclosed to the WhatsApp, which in turn, quickly responded and fixed the issue for all apps in mid-September, which is available since WhatsApp version number 2.19.58.

Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together Ehren Kret, WhatsApp Software Engineer

With over one billion users, WhatsApp is one of the most popular messaging apps in the world today. Given the large user base, the messaging platform is targeted by attackers to compromise sensitive data stored on the device or to spread fake news and misinformation.

