Software applications are not flawless and the same applies to cross-platform mobile messaging app WhatsApp. A security researcher found a way to crash WhatsApp with an emoji bomb.
WhatsApp is a low-cost alternative to carrier-billed text messaging via SMS, especially for messaging to international numbers or a number of people in a group. WhatsApp is an easy to use app that allows users not only to share text messages but also images and videos.
Facebook acquired the messaging service in February 2014 for $19 billion. The popularity of WhatsApp has been growing around the world in the last few years and in September 2015 the app had more than 900 million active users up from 700 million users in January 2015.
Even though the app is extremely popular amongst messaging app users around the globe, it still has some flaws, which researchers have discovered.
In Dec. 2014, researchers Indrajeet Bhuyan and Saurav Kar demonstrated a message handler vulnerability with WhatsApp, which allowed a user to remotely crash another user's WhatsApp by sending a 2000 words special character message weighing 2kb.
WhatsApp would keep on crashing until the receiver of the special message deleted the entire conversation and started a new chat. The issue risked more than 500 million WhatsApp users at that time but the company fixed the bug soon after they were notified about the problem.
While WhatsApp has fixed the problem, Indrajeet Bhuyan has found another vulnerability with the messaging app. Emojis are fun way of expression without text but emojis can also be used to crash a target's WhatApp messenger.
"This year I have found a flaw in whatsapp which can be used to crash whatsapp mobile app and whastapp Web (which is the PC version of the same )," says Bhuyan. "In whatsapp web, whatsapp allows 65500-6600 characters. But after typing about 4200-4400 smiley browser starts to slow down. But since the limit is not yet reached so whatsapp allows to go on inserting. So it crashes while we type and send and in mobile too when it receives it overflows the buffer and it crashes."
Bhuyan claims that he has tested the new vulnerability, or the emoji bomb, in Firefox and Chrome for PC as well as on Android Marshmallow, Android Lollipop and Android KitKat. He has also tested a few mobile devices such as Moto E (1st generation), Asus Zenfone 2 laser and OnePlus 2 and the emoji bomb works on all these Android operating systems and devices.
Bhuyan also tested the vulnerability in iPhones but instead of crashing, the iPhones freezes the app for a while.
The researcher claims that the new vulnerability may affect over 1 billion Android users who actively use WhatsApp. Attackers may use the WhatsApp emoji bomb to delete records of conversations with a particular WhatsApp user.
Bhuyan reported the problem to WhatsApp and hopefully the company will issue a patch to fix the problem at the earliest. However, before the problem is fixed, a victim of the WhatsApp vulnerability may lose their chat history with the attacker.
Check out a video demonstration of how the new bug can be used to remotely crash WhatsApp.