Saturday, 28 October 2017

Crashing anyones Whatsapp on IOS

This was a bug in iOS as well as WhatsApp which could allow anyone to permanently crash the WhatsApp of the victim under certain conditions .

I was playing with my iPhone when I realised that I could create a contact with "first name" consisting very large number of characters in it . Though it worked well but I had a feeling that it's impact will be somewhere as handing huge characters might tremble some or the other apps.

After an hour or so I opened whatapp to check my messages and it closed suddenly. I opened again and same thing happened . Now I was quick enough to connect the dots . I deleted the contact (with a very big First Name) and my WhatsApp was working.

I thought of reporting it to apple as well as Facebook but it was likely to be rejected because it was exploitable only on my own phone . Anyways what's the point of a bug which is exploitable on self.

So what's next

Think ..
Thinkk ..

Flash back of  few articles of self XSS which was converted into reflected XSS because the researcher found a way to make it shareable.  [Advantage of reading lots of write-ups ]

conneting dotssss....

Yes contacts are sharable!!!

But my own whatsapp is crashing how can I share it ???
Hence can't share the malicious contact with others via WhatApp..  SAD!

Solution
Share it through other messengers . Slack ?

So here are the steps :-

1) Create a contact with huge number of characters .
2) Share it with slack or any other messenger app .
3) Victim downloads it .
4) Victim imports it as a contact.
5) Ends up screwing his whatsapp

Completely boring!!!  So many user interaction required huhhh!

Plus a contact name with like this looks suspicious




Problems to solve now
1)Lessen the number of user interaction required.
2)Make the screen look less suspicion when contact is being displayed.

While I was looking for alternatives I found that contacts can be shared as .vcf file . Bingo!!!
Now I don't need a phone to share the malicious contact file. I can do it from my laptop.

And I can add space characters to make the contact look less suspicious . [Problem 2 solved]



What about sharing the malicious .vcf file ? Air Drop baby!!!!

So here's what we are going to do

1) Make a ".vcf" file on my MacBook . Here is a sample one

https://gist.githubusercontent.com/Shashank-In/4ac499e885714c4e2d47b989fce4a775/raw/dbf7ff6cea88395d3d34c2ca6fafe3a7b4e58674/shashank.vcf

With 3800 characters included in it with lots of spaces to make it less suspicious when displayed


Could have made it more spicy like . Victims Crush's phone number <3

2) Start sharing it to people near by you through AirDrop.  A ".vcf" file when sent through AirDrop gets automatically imported in a single click when accepted, unlike other messenger where a person had to manually import it as a contact .

Once accepted the number will be saved . And when the next time victim opens his/her WhatsApp, WhatsApp will crash .

My guess of issue in background . Every time when we open WhatApp perhaps it checks for newly added contacts to automatically show if that the number is associated with WhatApp account . So perhaps while looking for a new contact WhatApp found our malicious contact and could not handle it and hence crashed . And this repeats
WhatApp is opened > It looks for new contacts > Can't handle our malicious contact > crashes

Victim cannot use his WhatApp :)

Wewww

Video POC









Rewards , NO!
Facebook blamed Apple for it .




Apple happily fixed it in iOS 10.3.3



Though I feel that there was fault from WhatApp too because when I tried the same thing on telegram, telegram truncated the name of the contact to around 50ish and hence did not crash .

Happy crashing!