Whatsapp Crash V2 - crashing PC browser and mobile app



Last year I together with my friend Sourav Kar made the world's smallest code which could crash whatsapp. In a video demonstration, we have showed that how a 2000 words (2kb in size) message in special character set can crash Whatsapp messenger app. Previous it was discovered that sending a huge message ( greater than 7mb in size) on Whatsapp could crash victim device and app immediately, but using this new exploit an  attacker only need to send a very small size (approx 2kb) message to the victim.

The main impact of the vulnerability was that the user who received the specially crafted message had to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely. The exploit risked more than 500 million users worldwide. We reported the flaw and it was fixed in the next update.

Read more about it here : Crash Your Friends' WhatsApp Remotely with Just a Message

This year I have found a flaw in whatsapp which can be used to crash whatsapp mobile app and whastapp Web ( which is the PC version of the same ).

Here are the details :


In whatsapp web, whatsapp allows 65500-6600 characters.But after typing about 4200-4400 smiley browser starts to slow down. but since the limit is not yet reached so whatsapp allows to go on inserting. so it crashes while we type and send and in mobile too when it receives it overflows the buffer and it crashes.

I have tested in the following


PC Browser - firefox, chrome
Android - marshmallow, lollipop, kitkat
Mobile -  Moto E gen 1 ( 1gb ram ), Asus zenfone 2 laser ( 2gb ram ), Oneplus two (4gb ram)

And it works perfectly well in the above.

I have tested in iphone too but in iphone it fails to crash but it freezes the app for a few seconds.

There are more than 1 billion android user who use whatstapp which means this flaw could affect 1 billion+ users.

Video Demosntration


Impact.

Suppose an attacker have send an abusive message or is blackmailing a victim. now the victim cannot show the message as proof as once the victim receive the smiley ( shown in video ) the whole chat with the attacker would crash and the victim wont be able to open it. The victim will have to delete the entire chat with the attacker in order to use whastapp normally.

This can also use used to do a Denial of service in the browser and it freezes the browser and gives a 'not responding' error.

I have reported the flaw to whastapp . Lets hope they patch it in their next version

Your Phone is not secure, Your Call can be spoofed. Here's How.





This article is only for educational Purpose


Only truly secure system is one that is powered off, cast in a block of concrete.
Well, This might sound like a Sci-Fi Movie but reading of sensitive e-mails and SMS to stealing of photos, tracking of location , spoofing your phone calls can be done, and you can be the target.

How hackers can take control over your Phone ?

The IMSI Catcher

Before I talk about the IMSI Catcher , I'll introduce you to some buzzwords.
IMSI , International Mobile Subscriber Identity. This is a GSM unique identifier that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs. 


ICCID , Integrated Circuit Card ID. This is the identifier of the actual SIM card itself - i.e. an identifier for the SIM chip. It is possible to change the information contained on a SIM (including the IMSI), but the identify of the SIM itself remains the same.

IMEI , International Mobile Equipment Identity and is a unique number given to every single mobile phone, typically found behind the battery.

Simply Put, IMSI catcher is a fake phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.
Here's a rough discussion on How was it done.
The concept is Simple, your mobile phone automatically tries to route its communications through the strongest signal from nearby phone base towers, and the IMSI Catcher satisfies this need by emitting the strongest signal.

What are some other ways how an attacker tries to gain control over your phone?

If you use P2P services, you might have seen 'cracked' premium apps. In that case, I'll have you known 3 random ways that a attacker tries to gain access on your phone.
  1. A 'cracked' version of a premium app.
  2. Fake Ads/Tricking the user to download malicious app
  3. Uninstalling and installing the malicious version of the same app.
Vodafone In India provides M-PESA service for money transfer , But Security Researchers are able to compromise these systems.

So basically, The type of attacks possible here are only limited by the coding ability and creativity of the hacker.

So Do You think you are Secure? What are you using on your phone to keep yourself secure? Let Us know! 

How to enable voice calling feature on WhatsApp


Recently WhatsApp rolled out its much awaited  feature whatsapp call using which one can make call to their whatsapp friends.


However, the feature is in the beta version and is not yet ready for a public release. One can get the call feature if they have the latest version ( 2.11.520 ) and if someone with the call feature makes a call to them. On 14th February I got a call from one of my friend and the feature was activated on my whatsapp account and this is how it looks now.

 Once I got the call feature I started calling my friends to activate their WhatsApp call feature. But the call feature was not getting activated on 15th February . Many user on various forums reported that the call and invite feature was not working for them now . There are various methods available online which claims to activate the call feature in WhatsApp. So i along with my friend  Dominik Tanas tried various methods available online to see if it works.

Method 1 :Using terminal emulator

We used the terminal emulator where one needs to type the following in the Using terminal emulator

su
am start -n com.whatsapp/com.whatsapp.HomeActivity
But it did not work and we had the same old User interface.

Method 2 : Decomplie and edit xml file

In the second method one needs to decomplile whatsapp and edit the Androidmanifest.xml file and change a few lines of code to enable the feature but even this trick was not working for us.

Also read :  Unlock Whatsapp phone function UI [ In German ]

Conclusion

The call feature is now in beta mode and on 15th February WhatsApp took down the call and activate feature so now even if your friend have the call feature and you get a call, your WhatsApp won't get the call feature.

Multiple Vulneribilities found in Whatsapp Web



Few days back whatsapp released its web client which is called as WhatsappWeb and as soon as it was released everyone was curoious to know if there exist some kind of bug in it. Even i was curious to know . So i tried a few thing and i got two bugs on it. And to my surprise my findings went viral. It got covered in almost by all the popular newspaper, online news portal. Few of them are : International Business Times , The Hacker News , The Assam Tribune , Infosecurity Magazine , etc. Even the popular British security analyst Graham Cluley  shared his valuable opinions about my findings in his blog.

So here are the two bugs that i discovered in the new WhatsappWeb.

Whatsapp photo privacy bug

Whatsapp gives us the option to hide our profile picture from others. Whatsapp offers 3 options a. everyone b. contacts c. nobody. If we set privacy to contacts only then only the people who are in our contact list can view our profile picture. But The new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well.

Here is the video demonstration :




As  Graham Cluley said in his blog , it’s not the most serious privacy breach that has ever occurred. But the fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.

WhatsApp Web Photo Sync Bug

Two weeks back when whatsapp released its web client called whatsappWeb they said that all the messages will be synced. Means if we send a message from our phone it will appear on the whatsappweb too and if we send a message from whatsappweb the message will appear in our mobile too. Now if we delete a message from mobile then the chats get refreshed in whatsappweb and the message that was deletes in the mobile gets deleted. But the same does not happen with photos. If we send a photo from our mobile it appears in our whatsappweb too and then when we delete the photo from our mobile , the photo appears blurred in our mobile as it is deleted but the same does not happen in whatsappweb. It does not get refreshed like the other time it did when user deletes a text. The photo is still accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly.

Here is the video demonstration :


I have reported both the bugs to the whatsapp security team and they are now working on it. Since the WhatsappWeb is now in its initial stage so I suppose things are not well arranged but I hope in the coming days whatsapp patch its bugs and give us a secure and awesome messaging platform.

WhatsApp Web - WhatsApp launches its web client, but not for iOS users



A long-desired feature for fans, WhatsApp is now available on the browser — but not any browser. For now, Chrome is the only browser supported, and you’ll need the app to log-in. With a scan of the QR code, you can start chatting on the desktop, and leave your phone on the desk next to you. Unless you’re on iOS — the desktop doesn’t support that, either.


To get started chatting via WhatsApp on the desktop, head into your app on Android, Windows Phone, or BlackBerry. You’ll see a “WhatsApp Web” screen, which is where you scan the QR code on WhatsApp’s web portal.

The scan links the browser experience with your app. WhatsApp also says your phone needs to stay connected to the Internet for it to work, which means turning your phone off or slipping it into Airplane Mode could disable your browser session.

Apple users may not see a WhatsApp version, either. According to WhatsApp CEO Jan Koum, Apple’s “platform limitations” currently prevent the desktop version from being available to iOS users, and could even be why Safari is left hanging.

Hide Last Seen Status on Whatsapp



If you own a smartphone then chances are there that you are already using Whatsapp. The reason why whatsapp is much popular than many other messengers is because of its simplicity of app and number of features provided by it.It is an instant messaging application which has now updated with time and able to send and receive voice messages as well. Apart from just voice and text messages it is capable of sharing multimedia files like videos , images , songs etc.