Whatsapp Crash V2 – crashing PC browser and mobile app

Last year I together with my friend Sourav Kar made the world’s smallest code which could crash whatsapp. In a video demonstration, we have showed that how a 2000 words (2kb in size) message in special character set can crash Whatsapp messenger app. Previous it was discovered that sending a huge message ( greater than 7mb in size) on Whatsapp could crash victim device and app immediately, but using this new exploit an  attacker only need to send a very small size (approx 2kb) message to the victim.

The main impact of the vulnerability was that the user who received the specially crafted message had to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely. The exploit risked more than 500 million users worldwide. We reported the flaw and it was fixed in the next update.

Read more about it here : Crash Your Friends’ WhatsApp Remotely with Just a Message

This year I have found a flaw in whatsapp which can be used to crash whatsapp mobile app and whastapp Web ( which is the PC version of the same ).

Here are the details :

In whatsapp web, whatsapp allows 65500-6600 characters.But after typing about 4200-4400 smiley browser starts to slow down. but since the limit is not yet reached so whatsapp allows to go on inserting. so it crashes while we type and send and in mobile too when it receives it overflows the buffer and it crashes.

I have tested in the following

PC Browser – firefox, chrome
Android – marshmallow, lollipop, kitkat
Mobile –  Moto E gen 1 ( 1gb ram ), Asus zenfone 2 laser ( 2gb ram ), Oneplus two (4gb ram)

And it works perfectly well in the above.

I have tested in iphone too but in iphone it fails to crash but it freezes the app for a few seconds.

There are more than 1 billion android user who use whatstapp which means this flaw could affect 1 billion+ users.

Video Demosntration

Impact.

Suppose an attacker have send an abusive message or is blackmailing a victim. now the victim cannot show the message as proof as once the victim receive the smiley ( shown in video ) the whole chat with the attacker would crash and the victim wont be able to open it. The victim will have to delete the entire chat with the attacker in order to use whastapp normally.

This can also use used to do a Denial of service in the browser and it freezes the browser and gives a ‘not responding’ error.

I have reported the flaw to whastapp . Lets hope they patch it in their next version