Remember the iPhone unicode bug ? Android revenge is here

In the last hours different groups on WhatsApp started receiving a simple unicode message that crashes
the App.

It is similar to a "killer symbol" that crashed different apps on Iphones some time ago.
IPhone already has a history of this type of bugs, like in 2015 with the "Unicode of Death"

On our quick testing, we reviewed different tools affected by the new unicode DoS attack on the  
Android platform:

* Gmail subject and body (Crash)
* Instagram photos description (Crash)
* Instagram history - No (Auto crash)
* Twitter post - (No, the app was limiting the characters)
* Instagram prv msg - (Crash)
* Slack - Crash
* Facebook prv msg - (Not crash)
* Facebook post - (Not crash)
* Telegram (Crash)
* Linkedin Post (No, the app limit the characters)
* Skype private msg - (Crash)
* Facebook Messenger - (Crash)

In the following Android debug information there is information about the root cause of the
exploitation (our first thought was the Emoji Android lib):

The payload is really simple, 3000 characters of ‏&#x200E (More info)

Unicode is a hard one to handle nowadays, it will continue to give some new chapters in the
security field.

Let’s see when Android phones release the current updates. In the meantime, It is time to adding unicode
fuzzing in the development process.

We couldn’t find how to exploit it in a different way than a DoS to the Apps. Maybe this will change in the
next hours with more people looking into.

Happy trolling
Faraday Team
Post a Comment
Thanks for your comment