How to crash WhatsApp by sending an emoji bomb
A security researcher has revealed a way you can crash another user’s WhatsApp by sending them a single message.
18-year-old Indrajeet Bhuyan is no stranger to finding flaws in the WhatsApp messenger app, having last year discovered a way to create a specially crafted message that crashes the app every time it is opened, and forcing recipients to delete the entire message thread.
WhatsApp fixed that flaw, but is now shown to be vulnerable to another flaw along similar lines that Bhuyan has uncovered.
In a blog post, Bhuyan describes that over one billion WhatsApp users around the world are running the risk of receiving a message containing approximately 6000 emojis.
And that number of smiley faces is, apparently enough to either crash the desktop or Android version of WhatsApp, and cause the iOS version to freeze for some seconds.
Why would someone want to send another WhatsApp user an emoji bomb? Well, aside from childish pranks, Bhuyan offers the scenario of online bullies or extortionists, who might want to send an abusive message to their intended target but then prevent the conversation from being shown to other parties.
A YouTube video made by Bhuyan demonstrates how an attacker could cause a remote victim’s WhatsApp account to crash.
Typing quite so many emojis may put many of us off the idea of experimenting with this bug, but it’s not hard to imagine a determined malicious attacker using cut-and-paste to rapidly build a long enough message.
Although some may be tempted to think this isn’t a serious bug, I would argue that it suggests that WhatsApp’s developers aren’t doing enough to ensure that they have coded their messaging app securely. Proper systematic testing should have found the flaw, which sounds like a failure to conduct proper input validation – preventing users from entering so many emoji characters that would ultimately cause a buffer overflow.
Bhuyan says he has reported the flaw to WhatsApp, and is hopeful that they will fix it in their next version.
In the meantime, go easy on the smiley faces you send to friends and loved ones this Christmas.
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022