Independent researcher Indrajit Bhuyan (Indrajeet Bhuyan) found amusing vulnerability in WhatsApp. Using this bug can cause the application to crash any user.
Earlier Bhuyan already found a similar vulnerability. In December 2014, he reported that “drop» WhatsApp can using messages containing 2000 of certain words (2 KB volume). This gap has long fixed – then the developers had to introduce restrictions on the number of characters in a single message.
Exactly one year later, Bhuyan found a new bug, which does not save the limit of a certain number of characters in the message. The fact that the imposed restriction does not apply to smile-Emoji.
“The WhatsApp Web 5500-6600 there is a limit of characters, but if you type Emoji 4200-4400, the browser is already beginning to slow down, – says the researcher in his blog. – Since the character limit has not been reached, WhatsApp will still allow you to continue. Upon receipt of such a message will cause a buffer overflow, leading to a “fall” of the application. “
It is confirmed that a problem for WhatsApp Android-application (bug works for Marshmallow, Lollipop and Kitkat), as well as web-based applications – WhatsApp Web (hang browsers Chrome, Opera, Firefox). The researcher notes that the iPhone attack simply freezes for a few seconds, iOS-app attack does not lead to a crash.
Proof-of-Concept video demonstrates Emoji attack in action. It is worth noting that the browser attacker also freezes when sending a “smiley-bomb.”
Although researchers have already notified the Facebook problem, fix has not been released yet. While the patch is not present, the victims of this attack can advise only one thing: to get rid of the problem, it is necessary to remove the entire history of messages with the sender 4000+ Emoji.