2 min read

How to crash WhatsApp by sending an emoji bomb

Graham CLULEY

December 23, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How to crash WhatsApp by sending an emoji bomb

Pranksters rejoice!

A security researcher has revealed a way you can crash another user’s WhatsApp by sending them a single message.

18-year-old Indrajeet Bhuyan is no stranger to finding flaws in the WhatsApp messenger app, having last year discovered a way to create a specially crafted message that crashes the app every time it is opened, and forcing recipients to delete the entire message thread.

WhatsApp fixed that flaw, but is now shown to be vulnerable to another flaw along similar lines that Bhuyan has uncovered.

In a blog post, Bhuyan describes that over one billion WhatsApp users around the world are running the risk of receiving a message containing approximately 6000 emojis.

whatsapp-chats

And that number of smiley faces is, apparently enough to either crash the desktop or Android version of WhatsApp, and cause the iOS version to freeze for some seconds.

whatsapp-crash

Why would someone want to send another WhatsApp user an emoji bomb? Well, aside from childish pranks, Bhuyan offers the scenario of online bullies or extortionists, who might want to send an abusive message to their intended target but then prevent the conversation from being shown to other parties.

A YouTube video made by Bhuyan demonstrates how an attacker could cause a remote victim’s WhatsApp account to crash.

Typing quite so many emojis may put many of us off the idea of experimenting with this bug, but it’s not hard to imagine a determined malicious attacker using cut-and-paste to rapidly build a long enough message.

Although some may be tempted to think this isn’t a serious bug, I would argue that it suggests that WhatsApp’s developers aren’t doing enough to ensure that they have coded their messaging app securely. Proper systematic testing should have found the flaw, which sounds like a failure to conduct proper input validation – preventing users from entering so many emoji characters that would ultimately cause a buffer overflow.

Bhuyan says he has reported the flaw to WhatsApp, and is hopeful that they will fix it in their next version.

In the meantime, go easy on the smiley faces you send to friends and loved ones this Christmas.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read