Whatsapp- DOS vulnerability on Android/iOS/Web

Hi Friends :)

Just writing this post to share my first experience on Bug Hunting.. Happy to say that I’ve received my first bounty right from Facebook which is considered to be a Tough Platform to get rewarded…

Intro….

Myself Pratheesh P Narayanan, I’m pursuing B.tech (CSE) from one of the prestigious institutions in my State (Kerala,India).During my childhood days I had a passion towards computers and other elecronic gadgets. Well,it was my Father who gave me an exposure to the Digital Field. He was always there with me ,he was the first one to understand my passion. Even though i was pretty average on my academics, my Mother knew my passion and stood with me all these years… She motivated me to go for Btech regardless of my poor academic performance -_-

I’m not really a Bug hunter or a Whitehat. But I do love Technology and i tried my own ways to break the security of different websites/apps from time to time ;). I had previously reported some Bugs on Google and was awarded with their Hall Of Fame (currently Page 5).

About The Bug….

The attacker sends the malicious payload to the victim as a contact. Please note that the payload is embedded within the contact and no way the victim is aware of it. As soon as the payload gets delivered to the victim,his phone immediately crashes.

PAYLOAD: //removed[THIS IS AN ANDROID FRAMEWORK ISSUE AND I CANNOT SHARE THE PAYLOAD UNTIL GOOGLE ISSUES A FIX]//

NB: The issue is fixed and you need not try using the payload again ;)

All i did was embed the Payload on a contact file along with long list of emoticon’s . As soon as the payload is delivered to the victim, the phone displays a notification on the victims phone. As soon as the payload is delivered, the victims phone is crashed. The contact can be send N times to increase the severity of the crash.

I was in deep trouble making the Facebook team understand about my bug.Though I had sent Video POC and detailed instructions, they could never reproduce my bug. So I asked them to message me on Whatsapp so that i could sent them the payload. And as Expected, they did message me and i could crash the test device of the Facebook Security Team :)

Image for post
Image for post
Image for post
Image for post
Chat With Facebook Team

And it was not enough, i had to reproduce the issue with the Whatsapp Security Team as well, and yeah i did :)

Image for post
Image for post
Whatsapp Security Team
Image for post
Image for post

After almost 2 months of waiting,they finally fixed it and rewarded me with $500 and my name was added to Hall Of Fame

Image for post
Image for post

This is all about my experience on my first bug bounty.I hope I can come up with more Reports in the future.Thanks for your valuable time in reading by Story :)

Also, I extend my Gratitude to ABHISHEK SIDHARTH for helping me create this report.

See you soon

Wanna contact me?

Twitter: @PRATHEESH_PPN

Telegram: https://t.me/Al3n890

Regards

Pratheesh P Narayanan

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store