• Twitter
  • Facebook
  • Youtube

Sunday, March 5, 2017

WhatsApp - 0day Vulnerability in IOS & Android


Greetings Everyone

Today we are going to share the 0day that we have discovered in WhatsApp. Our team(Muhammad Uwais, Kunal Khubchandani, & Shawar Khan) identified a 0day vulnerability in WhatsApp Mobile Applications(iOS & Android). The Followings are the details:

Bug: Buffer Overflow App Crash Denial of Service Vulnerability
Affected Versions: All Whatsapp Versions prior to "2.17.79"

Platform: IOS & Android
Researchers: Muhammad Uwais, Kunal Khubchandani, Shawar Khan
This vulnerability allows a remote attacker to crash the target victim's mobile application. This affects both version of Whatsapp which include Whatsapp for IOS & Whatsapp for Android. 


Recently Uwais joined WhatsApp and started the Pentest against the application as thats what a hacker does at start, identifying security flaws is the first step every hacker performs. Recently a flaw was discovered that allowed attackers to crash victim's whatsapp by sending a message containing unknown characters and recently a guy found that he could crash Whatsapp Ios Version by 2 emojis if you know those are rainbow and a white flag . According to Uwais:

I decided to make up a contact file and add up few emojis "Smiley Face" in the area of Contact name that is shared . Luckily my mobile Xiamoi Mi 3 allowed me to add emoji's and characters as many as I want .Then I shared this contact nothing happened , I added bomb emoji with other 30 smiley face emoji's. Then I send the contact to Kunal while opening his chat I noticed a slightly delay of 1.5-2 secs than usual time while opening his chat.
Uwais noticed this behaviour and asked Kunal to have a look into it because of limited access to computers at my college .

So he made the other contact i.e the contact named with bomb emojis which caused delay , then Kunal copied that message(contact) and only added characters of "bomb" emoji's and then he kept on multiplying the bomb emoji's and kept on testing its response (delay) in opening the conversation (message) .

He noticed a lot of serious lagging and I couldn't type back in the conversation while testing on android application , and again he added more and more bomb emoji characters around 5000 then he sent the contact to me on my phone, as soon as I opened his chat the mobile screen turned black and bamm whatsapp crashed !! As some phones couldn't store emoji's as the contact name so he used 3rd party app from playstore to create a contact like that . As for now we are sure all Android devices along with the whatsapp versions were affected if contact was shared with name containing around 5000 Bomb emoji's.

It was time to test ios devices , so we messaged another friend named Shawar Khan who is also a Cyber Security Researcher & WhiteHat Hacker from Pakistan and we asked him to test ios device as he is an IOS Application Penetration Tester .
I(Uwais) sent him the same contact , this time the results we noticed were crazy. 

 
His phone started lagging and his whatsapp crashed on the pressing of his home button on his iPhone. The payload was further modified by Shawar and a much powerful payload was created which caused a complete application crash of the Victim's device. To handle this such huge payload a powerful device was required as Android devices was not able to handle it, Iphone 6s was used to send the modified payload and was successfully able to takedown any WhatsApp Conversation / Group.



So finally we are confirmed that it effects every phone rather it's an iOS or android 😉 .

All versions prior to 2.17.79 were affected . Along with the app crash main ios was also affected.
The vulnerability was reported to Facebook and is now fully patched.

Demonstrations: 
Android to Android(Demo by Kunal)


IOS to Android(Demo by Shawar Khan)

 

Contact

Get in touch with me