An emoji is worth a thousand words, or at least it is when you’re using WhatsApp. We’ve gotten used to expressing ourselves by using these colorful characters – be they smiley faces, grinning turds, or even animals – that it is strange to imagine ever communicating without them. In fact, a recent survey by Swiftkey in the USA managed to find out the most popular emoji by state, with some unusual results coming up, such as the smiling turd being the most popular one in Vermont.
So, due to the popularity of using emojis, it didn’t take long for cybercriminals to catch on to the fact that they could take advantage of their use, and some have started to use them to their advantage.
Following the WhatsApp scams of 2015, such as the message that invited you to download new emoticons but ended up stealing your contacts, 2016 has started out with a new vulnerability in the app, which is used by more than 900 million people worldwide.
Indrajeet Bhuyan, an 18-year-old from India, has just discovered that a cybercriminal, or even a friend who fancies playing a trick on you, could take advantage of a failure in WhatsApp’s system to remotely block your account.
The strategy to carry this out couldn’t be easier – all you need to do is send thousands of emojis in the same message and the app will close automatically. Bhuyan explained the entire process on the blog Hackatrick, where he also tells of his remarkable discovery.
After writing between 4,200 and 4,400 emojis on WhatsApp web, the teenager realized that the service began to slow down. Once the message was sent, he received an error message and the browser remained blocked.
However, when the person he was sending the message to connected, the message was received. Once opened, the application stopped working. During this phase, WhatsApp offered the usual options of waiting or closing the app. Despite this, the app would become blocked again due to the avalanche of emojis.
This young blogger has shown that the error can be produced in different web browsers (Firefox and Google Chrome) and various versions of Android (Marshmallow, Lollipop, and KitKat). Only iPhones were capable of resisting the chaos caused by the emojis, with WhatsApp for iOS only blocking itself for a few seconds.
The problem can be solved very easily, however. Instead of trying to read the message filled with emojis, the user should eliminate all of the chat without entering it. Although for some people, this is exactly the reaction that they hope to achieve.
For example, if a user has sent messages to another user that may contain private information, or has threatened another person via messages, they could send them this glut of emojis with the hope that the victim will delete the message entirely, eliminating all evidence.
Bhuyan also discovered a vulnerability that caused a shutdown of WhatsApp with a message of 2,000 special characters, although the company has since rectified this. He has just informed WhatsApp of his new finding and hopes that this fault is corrected in the next update.