WHATSAPP — DOS VULNERABILITY IN IOS & ANDROID

Hello readers, :)

Today I wanna share with you one of my finding on Facebook; They reward me with a bounty of 500$ for this bug.

Well, let’s introduce it.

During my bug-hunting career I was always looking for a bug on Facebook, and I always try to find something into their acquisitions, subdomains and main domain, but all I got was a lot of duplicates and some bugs gets rejected anyway I don’t give up (XSS, CSRF,Broken Authentication and Session Management, etc..) and one day I had a brillian idea: find something on whatsapp,Facebook is a acquired more than 50 companies, including WhatsApp. The WhatsApp acquisition closed at a steep $19 billion the WhatsApp app that is available for Android and IOS and Windows phone and pc too.

As you know, on WhatsApp you can chat with your WhatsApp-friends..so I was thinking a lot about what type of bug I can found and..yes, the simplest bug ever, DOS.

Before this experience, I saw that some researchers founded some similar bugs into Facebook main domain and facebook messenger app, so I taught ..”i can “, then I start hunting.

Honestly my idea was to find a Buffer Overflow (it was a bad idea because I wasn’t clear about that :) ) bug but then, after some research that released that is completely different if we talk about Buffer Overflow and Dos.

In fact, I’ve reported this bug, with this title: “Buffer Overflow vulnerability on WhatsApp Messenger android app”, but I was wrong, was just a simple Dos; anyway Facebook Security team accepts this issue, and that’s what matters! :)

I was thinking about crash the WhatsApp app by sending one message wich contains a malicious payload or special characters to a victim.

This is the best part guys, how I ve found these special characters for the dos bug..Have you ever seen on facebook, these kind of characters on your timeline : https://pastebin.com/7aSNKVaV , check the special characetrs here..you can imagine what I idea I had. (Best idea ever..cause sometime we need to use our immagination in order to find something interesting)

I decided to make up a contact file and add up few emojis + “special characters” in the area of Contact name that is shared .Then I shared this contact victom . I opened his chat the mobile screen turned black and bamm whatsapp crashed my sometime prompt to restart !!

At first, Facebook security team doesn’t understand my issue, but after a clarifition they sended my issue to the appropriate team

Hi Vishnu,

We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does not resolve this issue.

Thanks,

Aaron
Security

And on Mar 4 the released the new Messenger APP for IOS/Android that contained the fix for my issue..and yes, I got 500$ as bounty:

Hi Vishnu Vishnu,

After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. We fulfill our bounties through Bugcrowd.

While no private user information was at risk to be exposed, this is nevertheless a behavior that made it possible to crash/freeze WhatsApp, and a fix was implemented by the team.

Thank you again for your report. We look forward to receiving more reports from you in the future.

=== Next Steps ===

Now, my name is there in the “2017” HOF year section, ;)

“On behalf of over a billion users, we would like to thank the following people for making a responsible disclosure to us:” this page said facebook.com/whitehat/thanks, I wanna say thank you too Facebook Security Team for the collaboration and for the bounty, and also for added my name there, in one of the most important Hall Of Fame in this world! :)

What we’ve learned today? Use your creativity, search bugs on IOS/Android etc, work hard and you will see the results.

Hope you we’ll enjoy this writeup, and thanks again, for all the support!

Timeline:

Jan 15 2017 — — Initial Report Sent.

Feb 7 2017 — -Aaron informed me they’ll insvestigate the issue.

Feb 16 2017 — -Aaron informed me The Bug is Fixed.

Mar 4 2017 $500 Awarded :)

Stay awesome for the next writeUp!

Cheers,

./vishnu :)