WhatsApp allegedly has a vulnerability that can allow an attacker to suspend your account remotely.
WhatsApp is found to have a vulnerability that can allow an attacker to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses.
A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you’ve enabled two-factor authentication (2FA) for your WhatsApp account.
The weaknesses that exist.
Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp account.
As first reported by Forbes, the researchers found that the flaw exists in the instant messaging app due to two fundamental weaknesses. The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you’ll get on your phone.
Block code entries on WhatsApp.
Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker’s phone for 12 hours.
However, while the attacker won’t be able to repeat the sign-in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end.
This will deactivate your WhatsApp account, meaning that you’ll no longer be able to access the instant messaging app on your phone. You won’t be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has apparently been deactivated through the email sent by the attacker.
How do you reactivate your account after that?
In a regular deactivation case, you can activate your WhatsApp account back by verifying your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means that you’ll also be restricted from getting a new registration code on your phone number for 12 hours.
The attacker can also repeat the process of failed sign-in attempts to restrict your account for another 12 hours when the first one expires. This highlights that WhatsApp will treat your phone the same way it is treating the attacker’s one and will block sign-in access. You’ll only have the option to get your WhatsApp account back by contacting the messaging app over email.
However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses.
It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours.
Most of the users aren’t likely to have their email addresses registered with their accounts at this moment. Therefore, the scope of the reported vulnerability is quite wide.