As much as WhatsApp has done to improve security and reliability of their globally-used messaging platform, the company still always finds itself dealing with problematic exploits. The latest is demonstrated by Indian research students Indrajeet Bhuyan and Saurav Kar, who showed how a simple text message with 2,000 characters — about 2KB worth of data — could crash whomever’s app it’s sent to.
Unfortunately the horror doesn’t simply end at the initial crash. Attempting to go back into the message thread will cause another force close, so the only way to rectify the issue is to completely delete the entire conversation. While some may only think of the exploit as a tool for trolling and pranking your friends, this exploit effectively allows you to wipe anyone’s archived chat history with you.
In a group message setting, it would force the affected individuals to remove themselves from the group. The students demonstrated the act on a screencast video, and noted that they’ve tested it on WhatsApp versions 2.11.431 and 2.11.432, and that it’s known to affect any Android device up to Android 4.4 KitKat. WhatsApp could also be victim to the exploit on Lollipop, though it’s possible the latest version of Android hasn’t yet been tested.
The exploit reportedly doesn’t work on Windows Phone 8.1, and it has not yet been tested on iOS (though one user reported that their handset wasn’t affected when tested).
This isn’t the first time a messaging exploit has been revealed to cause app crashes. Hangouts suffered a similar bug if folks were to spam their chat messages with an ungodly amount of emoticons, and the “emoticon bomb,” as it’s affectionately called, has also been known to affect WhatsApp in a similar way.
We’re not sure if the vulnerability lies within the way Android handles text parsing and processing or if something can be done on WhatsApp’s end to put the flame out on this fire, but we’re reaching out to see if they can shed more light. In the meantime be sure to keep the aforementioned tips in mind should you be unfortunate enough to be hit with this nonsense.
[via The Hacker News]