A security expert has discovered a serious flaw in WhatsApp which allows attackers to crash both the desktop and app version of the platform. What’s worrying about it is the simplicity of the attack, since all a person has to do is send a bunch of smileys to the victim.
The flaw was uncovered by Indrajeet Bhuyan, who tested the vulnerability using Firefox, Chrome, a Moto E (1st Gen), an Asus ZenFone 2 Laser and a OnePlus 2. WhatsApp Web currently allows people to type a maximum of 6500 – 6600 characters. In a video, Bhuyan had demonstrated how a message filled with 4200 – 4400 emojis leads to the browser slowing down.
Since that’s not the limit, the page eventually lets the attacker send the missive. The individual who receives it will find their browser crashing if they try to open the message. A similar occurrence happens if they try to access it through the mobile version of WhatsApp. The application shuts down and asks the user if they want to close it.
In a blog post, Bhuyan notes that the iPhone doesn’t crash using the same procedure. However, the process does freeze the app for a few seconds. The only way to stop the messaging service from crashing due to an emoji-filled message is to delete the entire conversation.
The method could be taken advantage of by aggressors who want to abuse or blackmail a person. The victim won’t be able to display evidence of the crime as they will be forced to wipe it out. This isn’t the first time Bhuyan has discovered a bug in the way WhatsApp functions. Last year, he had exposed a way to make the application stop working by sending a 2000-word message.
Bhuyan then proceeded to report the issue to WhatsApp, which had fixed the problem in an update. He’s notified the company on the latest flaw as well, and is waiting to see if it fixes the vulnerability in the future.