Facebook-owned popular messaging platform WhatsApp has been discovered to have a vulnerability that allows an attacker to remotely suspend your account using your phone number.
Security researchers have discovered a flaw in the instant messaging app that appears to have existed for quite some time due to fundamental weaknesses. Many WhatsApp users are said to be at risk because a remote attacker can deactivate WhatsApp on your phone and then prevent you from reactivating it. Even if you’ve allowed two-factor authentication (2FA) for your WhatsApp account, the flaw can be exploited.
A fundamental Weaknesses
The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not grant access to your WhatsApp account unless the attacker obtains the six-digit registration code you’ll receive on your phone. Multiple unsuccessful attempts to sign in using your phone number would also disable code entry on the attacker’s phone for 12 hours.
Although the attacker won’t be able to use your phone number to sign in again, they will be able to contact WhatsApp support to get your phone number deactivated from the app. They only need a new email address and a simple email informing them that the phone has been stolen or lost. In response to that email, WhatsApp will request clarification, which the attacker can provide quickly.
As a result, your WhatsApp account will be deactivated and you will no longer be able to use the instant messaging app on your phone. You won’t be able to prevent the deactivation of your WhatsApp account by using 2FA, as the account was deactivated by the attacker’s email.
You can reactivate your WhatsApp account by checking your phone number if your account has been deactivated. This is not possible, however, if the attacker has already locked the authentication process for 12 hours by attempting to sign in to your WhatsApp account several times. This means you won’t be able to get a new registration code on your phone number for the next 12 hours. When the first failed sign-in attempt expires, the attacker will repeat the procedure to lock your account for another 12 hours.
This means WhatsApp will treat your phone the same way it treats the attackers and will prevent you from signing in. You’ll be able to reclaim your WhatsApp account only by sending an email to the messaging app.
On the other hand, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the general public.
Related: WhatsApp Feature Update: Different Playback Speeds for voice messages coming soon