A new flaw that lets anyone completely suspend a user’s WhatsApp account without consent has been discovered. All that the attacker will need to execute the attack will be the user’s phone number. The loophole was discovered by security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes.
However, do keep in mind that the attacker can only block a user from their WhatsApp account and not gain access to their account, so private chats and contacts should not be exposed. So, what is the new WhatsApp flaw and how does it work? We take a look:
WhatsApp flaw lets anyone suspend user’s account using their phone number
To implement this, attackers first download WhatsApp on their device and try logging in with the phone number of the victim. Thanks to two-factor authentication, which is constantly sending SMS codes or calls to the victim’s phone number, the attackers are not able to log in and put in the wrong codes.
Given WhatsApp only sends a limited number of codes and due to several repeated and failed attempts, the login is locked for 12 hours. This means neither the victim nor the attacker can log in to the WhatsApp account.
The next part is where it gets interesting. The attacker then registers a new email address and sends an email to [email protected] requesting to deactivate the number (victim’s phone number), citing lost/stolen phone as the reason.
“So, to be very clear. WhatsApp has received an email referencing your phone number. They have no way of knowing whether this is really from you. There are no follow-up questions to confirm your ownership of the number. But an automated process has been triggered, without your knowledge, and your account will now be deactivated,” as per the Forbes report.
Within an hour or so, the victim will possibly get a message saying their account has been deactivated as their phone number is no longer registered with WhatsApp on the phone. “This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”
As of now, it is unclear if the loophole is being used to exploit WhatsApp users. “A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices,” a WhatsApp representative told Android Police.