WhatsApp users are warned of an obvious security issue with the world’s most popular messaging app. The threat allows attackers to lock you out of your account by disabling your WhatsApp. And what do bad actors need to wreak all this havoc? Nothing more than your phone number.
The terrible new scam was first highlighted by a security researcher on Forbes. Anyone can be banned from their account within 36 hours, warned security researchers Luis Márquez Carpintero and Ernesto Canales Pereña.
The attack can be carried out because literally anyone can install WhatsApp on their device and enter a cell phone number that belongs to someone else during the initial account setup. When someone does this, WhatsApp will give you texts and calls giving you an important six-digit code required to complete the setup process.
READ MORE: WhatsApp wants to end the nightmare of moving from iPhone to Android
If a hacker fails to get you to send this code, the likelihood that they will manage to guess is next to impossible. So what would happen would be that an attacker would attempt to enter this crucial code and continue to fail.
So far no problem. The problem is that after a number of failed attempts, WhatsApp pauses creating these codes.
The chat app notifies someone who tries – and fails – to set up WhatsApp that they have to “resend SMS / call me in 12 hours”.
After these 12 hours, an attacker would have to use the same method twice as before to ensure that WhatsApp is blocking the creation of new setup codes. During the second 12 hours, during which no new setup codes are generated, an attacker can create a fake email address and contact WhatsApp support.
The bad actor can provide a target’s phone number and say their account has been lost or stolen and request that the account be deactivated.
WhatsApp can then lock a user out of their account without verifying that the person who contacts them via email is the same person the phone number was provided for. If the attacker waits for the second 12 hour cycle to begin, the time when the third one enters WhatsApp seems to collapse.
Instead of learning that new setup codes can be created in 12 hours, WhatsApp instructs a user to try again in less than a second.
If the attack has progressed to this point and the attacker reported WhatsApp support in front of a victim, the target will have a huge headache trying to get their account. At that point, the researchers said it was “too late,” and instead of dealing with an automated help system, a victim must try to track down someone to speak to in person.
Speaking of the threat, ESET’s Jake Moore said, “This is another worrying hack that could affect millions of users who could potentially be affected by this attack. So many people rely on WhatsApp as their primary social and work communication tool. ” It is alarming how easily this can be done. “
While a WhatsApp spokesperson said, “Providing a two-step verification email address will help our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our Terms of Use and we encourage anyone who needs help. ” to email our support team so we can investigate. “
