WhatsApp users beware: there is a hole in the app's security that could allow an attacker to suspend your WhatsApp account. All you need is a phone number.
Scary thing is, it is not that hard to find a way for an attacker to use it. The only advantage is that this attack does not expose your account or personal information. In other words, the only reason an attacker would carry out such an attack is pure malice.
The first stage of the attack is for the attacker to install WhatsApp on a new device and launch the application using your number. Since the attacker does not have access to your phone, they cannot verify that the number belongs to the attacker and cannot actually access your WhatsApp account.
In this case, the two-factor authentication code is sent repeatedly, and if you fail to enter it correctly, your login is locked for 12 hours.
The second step is a little more difficult, but not too difficult. Once your account is locked, the attacker will send an email to WhatsApp support, requesting that your phone be lost or stolen and that the WhatsApp app be deactivated.
WhatsApp does not ask for an email address when you register, so you are "authenticated" with the email address the attacker sends to support. The account is then suspended through an automated process. If the attacker repeats this process many times, the entire account can be locked semi-permanently.
Thankfully, there are no reports of this attack actually being used worldwide. Instead, it is a proof of concept by security researchers Luis Marques Carpintero and Ernesto Canales Pereña (via Forbes).
However, security holes do exist, and they are not particularly complex. To make matters worse, Whatsapp has not confirmed whether it plans to fix the problem. This is problematic given that accounts are anonymously disabled and there is no way to determine which malicious actor is responsible.
When this occurs, the only recourse is to contact WhatsApp support and attempt to make human contact. [One can only hope that WhatsApp is actively working on a fix, as at the time of this writing, this security hole is likely to be exploited.
Comments