Facebook-owned WhatsApp has a security hole that can be exploited by anyone to shut you out of your account using just your phone number alone.
Discovered by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, the flaw places billions of WhatsApp users at risk as an attacker can remotely deactivate WhatsApp on your phone and then restrict you from activating it back.
Also Read: How To Get A Working Free Bug Host For Free Unlimited Internet Access On Any Network
First reported by Forbes, the researchers found the flaw exists in the instant messaging app due to two fundamental weaknesses. In the first weakness, the attacker installs WhatsApp and then enters your WhatsApp phone number to activate the chat service.
WhatsApp will then send a six-digit authentication code to the phone number to use for verification. Of course, the attacker doesn't have access to the code because it's been sent to the owners' phone. Multiple failed entries to sign in will block code entries on the attacker and victim's phone for 12 hours.
In the second weakness, the attacker will send a support message to WhatsApp from their email address, claiming that their phone (which, of course, is that of the victim) has been lost or stolen and that the account associated with your number needs to be deactivated. In response, WhatsApp will then verify this with a reply, and suspend your account without any input on your end. The attacker can repeat this process several times in succession to create a semi-permanent lock on your account.
After WhatsApp has deactivated the account, the victim won't have access to it nor will the 2FA on the account do anything to bring it back.
The result of this flaw is disturbing. On the good side, it can't be used to gain access to an account, but just block the legitimate owner access to the account. Chats and contacts were not exposed in the flaw.
A WhatsApp spokesperson says that users could avoid the problem of getting their accounts deactivated by attackers when they provide an email address with two-factor authentication to their account.
"Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate," the spokesperson said.
Though there's no indication that this technique is being used in the wild, it won't be long before people start exploiting it given the fact that the details are now in the public. WhatsApp on its part hasn't provided any details on whether it is fixing the vulnerability or not but warns that this vulnerability violates its terms of service.