A newly-discovered flaw in the Facebook-owned messaging app WhatsApp can allow an attacker to suspend your account, using just your phone number. The proof-of-concept of this attack was developed by Luis Márquez Carpintero and Ernesto Canales Pereña.
It involves some pretty simple steps, where wannabe hackers install WhatsApp on a new phone, using the number of the person they are targeting.
WhatsApp tries to use two-factor authentication during logins to verify the new device is linked to the account holder but the method is flawed.
Here’s the flaw
If the hacker continues to attempt to log in, they will run out of log-in attempts and the account will be suspended for 12 hours. The attacker can then register a new email address and reach out to WhatsApp’s automated system, saying that the phone has been stolen or is lost.
Then, they can ask that the WhatsApp account associated with that number be shut down.
WhatsApp’s automated system sends an email confirming that the account has been suspended (automatically) without asking the attackers for any other confirmation that they are the legitimate owners of the account.
What did WhatsApp say?
WhatsApp has not discussed a potential solution for this. Forbes was told that WhatsApp recommends users provide an email for two-factor authentication to help support representatives when they face this issue, which they labelled an “unlikely problem.”
Instead of being nonchalant like this, a company with over 2 billion users should really be pulling its green pants up, especially since its parent company is a company with 2.7 billion monthly active users, and wears blue pants that are often on fire.
In hindsight, we really shouldn’t be surprised by this reaction at this point.