Skip to main content

PSA: Update WhatsApp as a single message can wipe out your group chats

All users are advised to update WhatsApp, as older versions have a vulnerability that could see a single message wipe out your group chats…

Security researchers from Check Point found a serious security flaw in the iOS and Android apps.

The defect would have enabled a bad actor to deliver a destructive group chat message that produces a swift and complete crash of the entire application for all members of the group chat. The crash is so severe that users are forced to uninstall and reinstall the application, in order to gain proper use of WhatsApp. Furthermore, the user would be unable to return to the group chat, which would lead to the loss of all group chat history, indefinitely. The group chat would then not be able to be restored after the crash occurs and would need to be deleted in order to stop the crash-loop.

Carrying out the attack would be relatively simple. An attacker would use a web browser debugging tool to edit a message to any group chat. That message would cause the app to crash for all members, and it would continue to crash each time anyone tried to open it.

Because the only way to recover would be to delete the app and all its data, then reinstall from scratch, all chat history in the group would be lost for all members.

Check Point followed the usual responsible disclosure process, advising WhatsApp of the details, and waiting for the company to issue an update to fix it before going public.

That has now been done, and you can protect yourself and your groups from this by ensuring you update WhatsApp to the latest version. Open the App Store app, tap your profile photo top-right and scroll down to see whether any updates are available. If there are none, you can check it has already been updated by scrolling down to WhatsApp in Recent Updates and ensuring you are on version 2.19.120 or later.

WhatsApp said that Check Point had allowed time for users to update before disclosure.

WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.

Check Point previously discovered a method for someone to fake responses from you in quoted replies, as well as a way to fool you into confusing private and public messages. The latter issue has been fixed, but the way end-to-end encryption works with WhatsApp means it wouldn’t be practical to fix the quote-spoofing, says the company.

WhatsApp owner Facebook recently sued an Israeli company for a hack which allowed various governments to spy on more than 1,000 users before the company fixed the vulnerability.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Photo: Shutterstock


Check out 9to5Mac on YouTube for more Apple news:

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications