A new WhatsApp vulnerability is reportedly allowing attackers to remotely suspend your using your phone number. As per a Forbes report by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, the new vulnerability appears to have existed on the instant messaging app for a long time. Further, it allows attackers to restrict you from activating your account again, even if you have Two-Factor Authentication.
The report also suggests that the vulnerability exists due to two fundamental weaknesses. The first weakness allows attackers to enter your phone number on a WhatsApp installation on their phones. The attacker can then use your phone number to begin signing in to your account.
While the attacker will still not obtain the six-digit security code that is sent to your account as an SMS, he/she can still enter the wrong security code repeatedly, leading your account to lock new installations for 12 hours.
Meanwhile, the attacker will be able to use the second fundamental weakness and contact WhatsApp’s customer care where they may ask for your number to be deactivated permanently. All the attacker needs to do to convince WhatsApp that your number is actually his/her number is write an email from a new Email ID stating that ‘their’ phone has been lost or stolen.
What does this do?
Using the loophole, an attacker will be able to deactivate your WhatsApp account fairly easily. If your account is deactivated in a regular way, you can always reverse the deactivation by verifying your phone number. However, that method will not work when the above-mentioned steps are followed and multiple sign-in attempts have been made, leading to new sign in attempts to be blocked. It appears that WhatsApp seems to lock out a user after too many attempts have been made to reset an account repeatedly.
Once this loophole has been made use of by the attacker, your sign in attempts will simply be detected as a third-party trying to get access, virtually making WhatsApp think that you are an attacker trying to get access.
What can you do to prevent such an attack?
In a statement provided to indianexpress.com, WhatsApp said that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”
The process indicates that users can protect themselves from this attacking method by binding their WhatsApp accounts to their Email ID. However, WhatsApp has still not mentioned if the company will be working on fixing the loophole. Until then, it is best to link an Email ID to your account.