- WhatsApp appears to have two fundamental weaknesses
- Attackers can block re-registration by simply using your phone number
- WhatsApp support team deactivates account upon receiving an email
WhatsApp is found to have a vulnerability that can allow an attacker to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses. A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you’ve enabled two-factor authentication (2FA) for your WhatsApp account.
Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp account. As first reported by Forbes, the researchers found that the flaw exists on the instant messaging app due to two fundamental weaknesses.
The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you’ll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker’s phone for 12 hours.
However, while the attacker won’t be able to repeat the sign in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end.
This will deactivate your WhatsApp account, meaning that you’ll no longer be able to access the instant messaging app on your phone. You won’t be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has apparently been deactivated through the email sent by the attacker.
In a regular deactivation case, you can activate your WhatsApp account back by verifying your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means that you’ll also be restricted from getting a new registration code on your phone number for 12 hours. The attacker can also repeat the process of failed sign-in attempts to restrict your account for another 12 hours when the first one expires.
This highlights that WhatsApp will treat your phone the same way it is treating the attacker’s one and will block sign in access. You’ll only have the option to get your WhatsApp account back by contacting the messaging app over email.
A WhatsApp spokesperson told Gadgets 360 that users could avoid the problem of getting their accounts deactivated by attackers using the newly discovered flaw by registering their email address to their account via two-step verification.
“Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate,” the spokesperson said.
However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses.
It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours.
WhatsApp has a massive user base of more than two billion users worldwide, with over 400 million users in India alone. Most of the users aren’t likely to have their email addresses registered with their accounts at this moment. Therefore, the scope of the reported vulnerability is quite wide.