After joining a group chat, a user could edit specific message parameters using the WhatsApp web interface and a browser debugging tool. Then they could create an “unstoppable crash-loop for all group chat members” which could only be fixed by uninstalling and reinstalling the app. The exploit would prevent members from returning to the group and and also lose all history of the chat.

This follows another WhatsApp vulnerability discovered by Check Point last year. The FakesApp vulnerability, as it is known, allowed people to manipulate messages in group chats to make it appear as if other users had said things they had not. This worked by manipulating the parameters used by the WhatsApp web interface to fake the apparent sender of a message.

After finding the latest defect, Check Point disclosed the problem to WhatsApp in August as part of a bug bounty program. WhatsApp patched the issue in September with version 2.19.58, so take this as a reminder to keep your apps up to date.

The vulnerabilities took advantage of abandoned subdomains, EA Games’ use of authentication tokens and single sign-on and TRUST mechanisms built into the user login process. Had an attack been carried out, it could have been devastating, given that EA is the world’s second largest gaming company and millions of user accounts would have been at risk.

The vulnerabilities are a reminder of how susceptible online and cloud platforms are to breaches. “These platforms are being increasingly targeted by hackers because of [the] huge amounts of sensitive customer data they hold,” said Check Point’s Oded Vanunu. Check Point and CyberInt advise gamers to enable two-factor authentication and only use official websites to download or purchase games. The companies also caution that parents should warn children about the threat of online fraud.

The attackers don’t seem to be state-backed, though. They’ve also attacked government officials at “several” revenue authorities, and Check Point noted that there have been similar campaigns that targeted Russian speakers. At least one of the culprits, nicknamed EvaPiks, has been linked to a hacking forum where card theft was a subject of discussion. The intruders may be “financially motivated” based on this evidence, Check Point said.

As it is, the group is occasionally sloppy. While it planned the campaign and created false documents specific to each target, some parts of the campaign have left the attacker’s personal info exposed. If this is a state attack, it wasn’t a particularly good one. Not that this is much comfort to victims — they’ve had potentially sensitive data exposed to crooks who intend to abuse it.