Skip to main content

wa.me bug

Source

What?

A hot WhatsApp forward bug is on the rise, which causes the Android App to crash if the message contains a URI with the string "wa.me/settings".

A lot of solutions have been offered online, but why does the crash get triggered? I searched a lot online for this, but didn't find anything technical. Naturally, it was time to take a look at it closely.


How?

/images/wa.me_settings.png

To trigger the bug, I sent the message "wa.me/settings" on WhatsApp Web to myself. Opening the WA app on my android phone caused it to crash automatically. So, this bug is indeed real.


Why?

/images/wa.me_1.png

Looking at the crash logs, we can see that the bug is a IndexOutOfBoundsException triggered because of an anonymous internal class function of the WA app named X.0kg.A0Y. (Note that this name can differ over WA versions)

wa.me links in WA are called Deep Links, and are used to quickly access a certain Activity in the app.

Navigating to the above mentioned code path (which handles these deep links), we find that the wa.me URI Path Segment is actually supposed to contain a sub-path of the /settings path.



/images/wa.me_2.png

if (pathSegments.size() >= 1 && "settings".equals(A04(pathSegments, locale, 0))) { return A0A(uri,

C12340ko.A0k(pathSegments, 1));}


Let us take a look at the A0k function:

public static List A0k(List list, int i) {

return list.subList(i, list.size());

}


Clearly, it can be seen that it returns a subList of the List supplied to it, starting with the index i, which is passed as the second argument to the function.

But since our string "wa.me/settings" clearly doesn't have a sub-path, the returned list will be an empty list.



This effectively means that we are passing an empty list to the function A0A as its second argument.

Relevant part of the A0A function:

public final int A0A(Uri uri, List list) {

if (this.A02.A0Z(C55062jy.A02, 504) && A0E()) {

Locale locale = Locale.US;

String lowerCase = ((String) AnonymousClass0kg.A0Y(list)).toLowerCase(locale);



Relevant part of the A0Y function:

public static Object A0Y(List list) {

return list.get(0);

}

Which translates to, "return the first element of the given list", but since the given list is an empty list, an Out of Bounds Exception is trigerred, causing a crash.

To verify the correct usage of the wa.me settings path, I tried sending the string "wa.me/settings/chats", which correctly renders the correct app pane, without causing any sort of crash.


In short, whoever found this bug (if not accidentally), has a sharp eye for number comparisons ;D

P.S. Personally tested this on WA version 2.23.10.77