A pair of researchers have uncovered a flaw (via Forbes) that allows attackers to lock anyone out of their WhatsApp account with just their phone number or to extend that the WhatsApp Account Can Be Suspended
Malicious actors can easily exploit this vulnerability to lock you out of your WhatsApp account indefinitely, making it more than just a minor inconvenience for them.
Vulnerability Discovered That Could lead to WhatsApp Account Be Suspended
The attacker install’s WhatsApp on a new device and enter’s your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
To prevent you from logging in on a new device indefinitely, an attacker only needs to repeat the aforementioned steps thrice.
On the third 12-hour cycle, the app’s suspension timer will break and start showing a “-1 seconds” timer instead. Once that bug shows up, WhatsApp won’t let you log in on a new device at all.
However, your current install will continue to work. But the exploit doesn’t end there, as it can be chained forward to drastically increase its impact.
The attacker’s final move will break your current install as well, and you’ll be locked out of your account permanently.
For this, all the attacker needs to do is send WhatsApp an email asking the service to deactivate your phone number.
WhatsApp might send an automated reply asking the attacker to confirm the number, and once they confirm, WhatsApp will automatically deactivate your account without your knowledge.
Your current WhatsApp install will then stop working suddenly, and you’ll see the following notification: “Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”
Now, when you try to verify your phone number, you’ll see the “-1 seconds” suspension timer, and you won’t be able to log in at all.
Anyone with access to your phone number can easily lock you out of your WhatsApp account in a matter of days. Therefore, WhatsApp needs to address this glaring issue immediately.
WhatsApp has a massive user base of more than two billion users worldwide, with over 400 million users in India alone. Most users aren’t likely to have their email addresses registered with their accounts at the moment. Therefore, the scope of the reported vulnerability is quite wide.
WhatsApp has already been alerted of the issue. In response to the disclosure, a WhatsApp spokesperson told Forbes that “providing an email address with your two-step verification helps our customer service team assisted people should they ever encounter this unlikely problem.”
The fact that WhatsApp considers this to be an “unlikely” problem should be reason enough for many users to move away from the service.
On top of that, the spokesperson added that those attempting the exploit would be violating WhatsApp’s terms of service.
As if that will scare away all the hackers and prevent pranksters from trying the exploit on an unsuspecting user.
That said, it’s highly problematic that this flaw exists, especially as WhatsApp’s new policy for user accounts approaches. Let’s see what steps WhatsApp is going to take regarding this