Most of us use WhatsApp for daily communications inform of chats and over-the-top service calls. But you will have to know that there is a new security flaw that has been discovered. It’s possible for a hacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing, there’s no solution for this issue.
ALSO READ: iTest: iPhone users can now get a test of the Samsung Galaxy experience
This security flaw uses two separate parameters. The attacker can install WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone via SMS instead. After multiple repeated and failed attempts, your login is locked for 12 hours. The horror begins here for the owner of the number.
But the story is just getting started, with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The hacker can repeat the process several times in succession to create a semi-permanent lock on your account.
It should however be noted that the attack is a proof-of-concept from two security researchers, Ernesto Canales Pereña and Luis Márquez Carpintero, and was first reported by Forbes. The results are disturbing, but at the very least, this method can’t be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.
According to Android Central, there’s no indication that this technique is being used in the wild. But when pressed for comment, WhatsApp kept dodging to respond and did not indicate that it’s working to resolve the hole in its security. A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices.
