How to Crash WhatsApp with simple smileys

The independent researcher  Indrajeet Bhuyan has demonstrated that is possible to crash the popular messaging app Whatsapp by sending crazy smileys.

Crash our Friends’ WhatsApp could be quite easy, this is what the independent researcher Indrajeet Bhuyan has demonstrated by sending crazy smileys.

Nearly 4000 simple Smileys are enough to crash our friends’ WhatsApp, the trick works on both WhatsApp Web and mobile app.The researcher has reported his discovery to the colleagues at The Hacker News, he discovered a flaw that could be exploited the popular messaging app.

The impact is serious if we consider that up to 1 Billion users are affected by the problem. Bhuyan is not new to this kind of discovery, earlier this year, he reported two separate bugs in the popular messaging app, the WhatsApp Photo Privacy bug and WhatsApp Web Photo Sync Bug.

Last year the expert reported another flaw in the WhatsApp that was possible to exploit by sending a 2000 words (2kb in size) message in the special character set to remotely crash the messenger app.

Once disclosed the bug, Whatsapp promptly patched the flaw by setting up the limits of characters in WhatsApp text messages. Now it seems that a similar solution may work to prevent the crash in case the users send more thank 4000 for smileys send via WhatsApp.

“In WhatsApp Web, Whatsapp allows 65500-6600 characters, but after typing about 4200-4400 smiley browser starts to slow down,” Bhuyan wrote in his blog post. “But since the limit is not yet reached so WhatsApp allows to go on inserting…when it receives it overflows the buffer and it crashes.”

The researcher successfully tested the attack on PC Browser (Firefox, Chrome Android -marshmallow, lollipop, kitkat Mobile –  Moto E gen 1 ( 1gb ram ), Asus zenfone 2 laser ( 2gb ram ), Oneplus two (4gb ram).

The attack has a different effect against iphone devices, in fact, it fails to crash the application but it just freezes it for a few seconds. Bhuyan also published a Proof-of-Concept (PoC) video of the attack

“Suppose an attacker have send an abusive message or is blackmailing a victim. now the victim cannot show the message as proof as once the victim receive the smiley ( shown in video ) the whole chat with the attacker would crash and the victim wont be able to open it. The victim will have to delete the entire chat with the attacker in order to use whastapp normally. This can also use used to do a Denial of service in the browser and it freezes the browser and gives a ‘not responding’ error. I have reported the flaw to Whastapp . Lets hope they patch it in their next version” explained Bhuyan.

Waiting for a fix for the bug, users that are victims of this specific attack have to open their Whatsapp client and delete the whole conversation with the sender.

Pierluigi Paganini

(Security Affairs –Whastapp, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.