The exploit, which crashes the WhatsApp web and mobile app, was discovered by 18-year-old Indrajeet Bhuyan, who wrote about it on hacking website Hackatrick and demoed it in a YouTube video.
So how do you crash WhatsApp? Bhuyan explains:
"In WhatsApp Web, WhatsApp allows 6500-6600 characters. But after typing about 4200-4400 smiley browser starts to slow down.
"But since the limit is not yet reached so WhatsApp allows to go on inserting. So it crashes while we type and send and in mobile too when it [the mobile app] receives it overflows the buffer and it crashes."
Bhuyan claims to have tested his exploit with the following:
- PC Browser - Firefox, Chrome
- Android - Marshmallow, Lollipop, Kitkat
- Mobile - Moto E Gen 1 ( 1GB RAM ), Asus Zenfone 2 Laser ( 2GB RAM), Oneplus Two (4GB RAM)
"It works perfectly well in the above," he said. "I have tested in iPhone too but in iPhone it fails to crash."
While WhatsApp does not crash on the iPhone, it does freeze for a few seconds, according to Bhuyan.
"There are more than 1 billion Android users who use WhatsApp, which means this flaw could affect 1 billion+ users."
Last year WhatsApp was forced to address a different app-crashing security flaw brought to light by Bhuyan and his friend Sourav Kar.
"We showed how a 2000 word message in special character set can crash WhatsApp Messenger app," he wrote. "The main impact of the vulnerability was that the user who received the specially crafted message had to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely.
Comodo
In a separate security issue brought to light this week, WhatsApp users are being spammed with a new malware attack, according to security firm Comodo, which wrote about the malware in this blog post.
The malware is being sent to WhatsApp users through official-looking emails claiming to be from WhatsApp itself. The emails state that the user has a missed call, audio recording or notification and the malware infects the user's PC when the attachment is opened.