Update (April 14, 2021): “Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate,” a WhatsApp spokesperson said in a statement to BGR India. Also Read - WhatsApp banned more than 23 lakh accounts in India in Oct for violating rules
A new flaw that lets anyone completely suspend a user’s WhatsApp account without consent has been discovered. All that the attacker will need to execute the attack will be the user’s phone number. The loophole was discovered by security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. Also Read - WhatsApp now lets you retain caption of photos, videos before forwarding
However, do keep in mind that the attacker can only block a user from their WhatsApp account and not gain access to their account, so private chats and contacts should not be exposed. So, what is the new WhatsApp flaw and how does it work? We take a look: Also Read - WhatsApp to launch ‘Message Yourself’ feature in India: All you need to know
WhatsApp flaw lets anyone suspend user’s account using their phone number
To implement this, attackers first download WhatsApp on their device and try logging in with the phone number of the victim. Thanks to two-factor authentication, which is constantly sending SMS codes or calls to the victim’s phone number, the attackers are not able to log in and put in the wrong codes.
Given WhatsApp only sends a limited number of codes and due to several repeated and failed attempts, the login is locked for 12 hours. This means neither the victim nor the attacker can log in to the WhatsApp account.
The next part is where it gets interesting. The attacker then registers a new email address and sends an email to firstname.lastname@example.org requesting to deactivate the number (victim’s phone number), citing lost/stolen phone as the reason.
“So, to be very clear. WhatsApp has received an email referencing your phone number. They have no way of knowing whether this is really from you. There are no follow-up questions to confirm your ownership of the number. But an automated process has been triggered, without your knowledge, and your account will now be deactivated,” as per the Forbes report.
Within an hour or so, the victim will possibly get a message saying their account has been deactivated as their phone number is no longer registered with WhatsApp on the phone. “This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”
As of now, it is unclear if the loophole is being used to exploit WhatsApp users. “A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices,” a WhatsApp representative told Android Police.