Your WhatsApp account can be suspended by anyone who has your phone number

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend. It's possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there's no solution for this issue.

This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can't verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.

Here's where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp "verifies" this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.

The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The results are disturbing, but at the very least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.

There's no indication that this technique is being used in the wild. But when pressed for comment, WhatsApp was evasive, and did not indicate that it's working to resolve the hole in its security. A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices.

WhatsApp, which is owned by Facebook, warns that using this vulnerability violates its terms of service. Which isn't much of a deterrent, since it can be performed anonymously with any mobile device and a throwaway email. As an Android Police staff member opined, maybe "it'll get fixed when someone does this to Zuckerberg's number, which was recently leaked in a Facebook account dump." It seems like security issues, and a less-than-satisfactory response to them, will continue to be a problem in Facebook's growing corporate empire.
 
Last edited by a moderator:

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Joke on you, I don't use and have Whatsapp account. :ROFLMAO:
yKguuiK.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top