Whatsapp- DOS vulnerability on Android/iOS/Web

Hi Friends :)

Just writing this post to share my first experience on Bug Hunting.. Happy to say that I’ve received my first bounty right from Facebook which is considered to be a Tough Platform to get rewarded…

Intro….

Myself Pratheesh P Narayanan, I’m pursuing B.tech (CSE) from one of the prestigious institutions in my State (Kerala,India).During my childhood days I had a passion towards computers and other elecronic gadgets. Well,it was my Father who gave me an exposure to the Digital Field. He was always there with me ,he was the first one to understand my passion. Even though i was pretty average on my academics, my Mother knew my passion and stood with me all these years… She motivated me to go for Btech regardless of my poor academic performance -_-

I’m not really a Bug hunter or a Whitehat. But I do love Technology and i tried my own ways to break the security of different websites/apps from time to time ;). I had previously reported some Bugs on Google and was awarded with their Hall Of Fame (currently Page 5).

About The Bug….

The attacker sends the malicious payload to the victim as a contact. Please note that the payload is embedded within the contact and no way the victim is aware of it. As soon as the payload gets delivered to the victim,his phone immediately crashes.

PAYLOAD: //removed[THIS IS AN ANDROID FRAMEWORK ISSUE AND I CANNOT SHARE THE PAYLOAD UNTIL GOOGLE ISSUES A FIX]//

NB: The issue is fixed and you need not try using the payload again ;)

All i did was embed the Payload on a contact file along with long list of emoticon’s . As soon as the payload is delivered to the victim, the phone displays a notification on the victims phone. As soon as the payload is delivered, the victims phone is crashed. The contact can be send N times to increase the severity of the crash.

I was in deep trouble making the Facebook team understand about my bug.Though I had sent Video POC and detailed instructions, they could never reproduce my bug. So I asked them to message me on Whatsapp so that i could sent them the payload. And as Expected, they did message me and i could crash the test device of the Facebook Security Team :)

Chat With Facebook Team

And it was not enough, i had to reproduce the issue with the Whatsapp Security Team as well, and yeah i did :)

Whatsapp Security Team

After almost 2 months of waiting,they finally fixed it and rewarded me with $500 and my name was added to Hall Of Fame

This is all about my experience on my first bug bounty.I hope I can come up with more Reports in the future.Thanks for your valuable time in reading by Story :)

Also, I extend my Gratitude to ABHISHEK SIDHARTH for helping me create this report.

See you soon

Wanna contact me?

Twitter: @PRATHEESH_PPN

Telegram: https://t.me/Al3n890

Regards

Pratheesh P Narayanan