WhatsApp Fixes Yet Another Group Chat Security Gap
Credit to Author: Lily Hay Newman| Date: Tue, 17 Dec 2019 11:30:00 +0000
The flaw would have given attackers an avenue for crashing the app—every time a user opened an infected group thread.
One of the most popular features of Facebook-owned WhatsApp is group messaging, which turns the app's end-to-end encrypted chats into social groups that can include up to 256 participants. But recent stumbles in group chat security—including a bug that could have let a hacker crash the app entirely—have shown that WhatsApp may need to keep a closer eye on these communal hubs.
That specific vulnerability, disclosed by security firm Check Point in August and patched in September, would have let a hacker cause group chat chaos with a specially crafted message. To stop their app from failing every time they opened the infected thread, recipients would have to uninstall WhatsApp altogether, reinstall it, and delete the compromised group chat from their account. Victims who didn't back up their WhatsApp data would lose everything in the uninstall process, and even those with backups would give up the contents of the affected chat, since it has to be removed without reopening it to stop the crash cycle.
Maintaining end-to-end encryption for group messaging presents a major challenge.
"People could get these messages and the application will crash and they would not understand what to do—they will not know to uninstall and reinstall the app and then delete the group," says Oded Vanunu, Check Point's head of product vulnerability research. "For us it's very important to understand an application that is one of the main communication channels in the world. We already see that bad actors are using WhatsApp to attack targets, so it’s not the type of thing that's out of the norm."
In addition to denial of service and potential loss of data, Vanunu points out that a crafty attacker could also exploit the bug strategically to crash WhatsApp, and then start sending SMS or email phishing messages while they know the target's WhatsApp is likely inaccessible. Without WhatsApp, targets would be more focused on their other communication platforms. And phishers could even craft messages that claim to come from WhatsApp, or promise steps to recover data, to entice targets to click a malicious link. WhatsApp says it sees no signs that anyone actually exploited the bug.
Maintaining end-to-end encryption for group messaging presents a major challenge to secure chat platforms. The more endpoints there are where chat data needs to be decrypted and the more participants an app needs to keep track of, the more likely it is that bugs will pop up. WhatsApp has had its share of group chat flaws. Previous Check Point research into WhatsApp group message security and privacy found a number of different ways to manipulate content in group messages, or make old messages look like they were sent by a different participant. WhatsApp has fixed some of these issues, but has also said that some of them are inherent in any group communication, like an email thread inundated with reply-alls. Check Point says the company was very responsive about fixing the group chat crash bug for iOS and Android, though.
"We quickly resolved this issue for all WhatsApp apps in mid September," WhatsApp software engineer Ehren Kret said in a statement. "We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties." Even if a similar bug crops up, hackers won't be able to add random users to group chats to launch their attacks anymore.
Additional protections and catching bugs like this one may prove especially crucial as Facebook plans chat integrations across its platforms—including WhatsApp, Facebook Messenger, and Instagram. With so many interconnections, a denial of service attack in one app could potentially have impacts across the ecosystem. Groups are also an important battleground as WhatsApp scrambles to deal with the spread of misinformation on its platform. The tighter their security, the less groups can be exploited as a launchpad for malicious attacks.