Researchers at cyber security firm Check Point said the issue means that people can send a destructive group chat message that causes a swift and complete crash of the entire WhatsApp application for all members of the group.
The crash bug is so severe that anyone affected is forced to uninstall and reinstall WhatsApp on their phone or device in order to use it again. Once reinstalled, the user would be unable to return to the group chat or access any of the group's chat history.
WhatsApp was informed of the vulnerability and issued a fix, though Check Point warned that users must update the app to the latest version in order to protect themselves against the attack.
“The ability to stop people being able to use WhatsApp and to delete valuable information from group chat histories is a powerful weapon,” Oded Vanunu, Check Point’s head of product vulnerability research, told The Independent.
The bug was first discovered in August 2019 and Mr Vanunu said he was not aware of any cases where the vulnerability has yet been exploited by hackers.
Check Point published a video explaining how an attacker would be able to take advantage of the flaw in order to crash WhatsApp for other users.
The method involves launching the attack using WhatsApp Web and the browser debugging tool available in all web browsers.
With more than 1.5 billion users globally, any bugs within WhatsApp can have sever consequences on a massive scale. A fix for the issue was rolled out in WhatsApp version 2.19.58 in mid-September, though any versions that were downloaded before that and not updated remain at risk.
“WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally,” said WhatsApp Software Engineer Ehren Kret.
“Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.”
More about: WhatsApp