A new WhatsApp vulnerability revealed, that might permit attackers to deactivate your account remotely. WhatsApp has recommended that users should provide their email address with the two-step verification to avoid such a hack.
Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the error that can allow attackers to remotely suspend your WhatsApp account. As first reported by Forbes, the researchers found that the flaw exists in the instant messaging app due to two fundamental weaknesses.
A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you’ve enabled two-factor authentication (2FA) for your WhatsApp account.
WhatsApp has discovered a vulnerability that allows an invader to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses.
The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you’ll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker’s phone for 12 hours.
However, while the attacker won’t be able to repeat the sign-in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end.
Android Malware Discovered on Google Play That Spreads Via WhatsApp
This will deactivate your WhatsApp account, meaning that you’ll no longer be able to access the instant messaging app on your phone. You won’t be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has been deactivated through the email sent by the attacker.
In a regular deactivation case, you can activate your WhatsApp account back by verifying your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means that you’ll also be restricted from getting a new registration code on your phone number for 12 hours. The attacker can also repeat the process of failed sign-in attempts to restrict your account for another 12 hours when the first one expires. WhatsApp Could Soon Allow Moving Chats Between Android and iOS
This highlights that WhatsApp will treat your phone the same way it is treating the attacker’s one and will block sign-in access. You’ll only have the option to get your WhatsApp account back by contacting the messaging app over email.
However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses. It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours.
WhatsApp has a massive user base of more than two billion users worldwide, with over 400 million users in India alone. Most of the users aren’t likely to have their email addresses registered with their accounts at this moment. Therefore, the scope of the reported vulnerability is quite wide.