Updated: Apr 16
Examine how an intruder can quickly deactivate your phone number using just your phone number.
According to reports, a recent WhatsApp vulnerability allows attackers to remotely suspend your account by using your phone number. The latest vulnerability appears to have existed on the instant messaging app for a long time, according to a Forbes study by security researchers Luis Márquez Carpintero and Ernesto Canales Perea. Furthermore, even though you have Two-Factor Authentication, it enables attackers to prevent you from accessing your account again.
According to the study, vulnerability is caused by two fundamental flaws. The first flaw allows attackers to use their phones to insert your phone number into a WhatsApp installation. The intruder will then start logging into your account with your phone number.
Although the intruder will not be able to access the six-digit security code sent to your account via SMS, he or she will be able to repeatedly enter incorrect security codes, causing your account to lock new installations for 12 hours.
Meanwhile, the attacker will take advantage of the second fundamental flaw by contacting WhatsApp's customer service and requesting that your number be permanently deactivated. To persuade WhatsApp that your number is really his or hers, the intruder simply needs to send an email from a new email address claiming that ‘their' phone has been lost or stolen.
What is the purpose of this?
An attacker could easily deactivate your WhatsApp account by exploiting the flaw. If your account is regularly deactivated, you can always trigger
it again by checking your phone number. The system, however, will not work if the steps above are followed and several sign-in attempts have been made, resulting in new sign-in attempts being blocked. WhatsApp tends to lockout a user after an excessive number of attempts to reset an account has been made.
Once the intruder has exploited this flaw, your sign-in attempts would actually be flagged as a third-party attempting to gain access, effectively making WhatsApp believe you are an attacker attempting to gain access.
What would you do to avoid an assault like this?
“Providing an email address with your two-step verification lets our customer service team assist people should they ever experience this unlikely problem,” WhatsApp said in a statement to indianexpress.com. We encourage anyone who needs assistance to contact our support team so we can investigate the circumstances found by this researcher, and we encourage anyone who needs help to email our support team so we can investigate.”
Users can protect themselves from this attack method by linking their WhatsApp accounts to their email addresses, according to the procedure. WhatsApp, on the other hand, has yet to say whether it would work to close the loophole. It's best to link until then.
To help their work, Newsmusk allows writers to use primary sources. White papers, government data, initial reporting, and interviews with industry experts are only a few examples. Where relevant, we also cite original research from others respected publishers.