WhatsApp Fix Bug That Allowed Hackers to Wipe Out Group Chats

A WhatsApp flaw let researchers crash the app on victim’s phones, forcing and uninstall and deletion of the entire message history.

According to a new report from ZDNet, security researchers from Check Point have discovered and publicized a nasty vulnerability in older versions of the instant messaging app which could be leveraged to wipe out all the user’s group chats with a single maliciously formed message.

According to Check Point, the vulnerability could enable a malicious user to deliver a destructive group chat message that produces “a swift and complete crash of the entire application for all members of the group chat.” Check Point notes that the crash forces people to uninstall and reinstall WhatsApp, but even doing that would prohibit them from returning to the group chat, thereby resulting in total loss of all group chat history, indefinitely.

The issue affects the implementation of the XMPP communication protocol that crashes the app when a member with an invalid phone number sends a message to the group.

“The bug resides in XMPP (Extensible Messaging and Presence Protocol), a communication protocol for instant messaging,” reads the analysis. “When we attempt to send a message where the parameter ‘participant’ receives a value of ‘null’ a ‘Null Pointer Exception’ is thrown.”

“The parser for the participant’s phone number mishandles the input when an illegal phone number is received. When it receives a phone number with a length, not in the ranger 5-20 or a non-digit character, it would read it as a ‘null’ string.”

The vulnerability was discovered in August 2019 and reported to WhatsApp. The Facebook-owned company has since squashed the bug in the update for version 2.19.246 and onwards. As a quick reminder, WhatsApp includes a privacy setting allowing you to control who can add you to groups in the Account > Privacy > Groups section of the in-app settings.