WhatsApp flaw lets attackers suspend your account using your phone number
- Researchers have found a WhatsApp bug that could allow attackers to lock your account.
- You only need to contact support via email after several two-factor authentication attempts using your phone number.
- There is no indication that WhatsApp has a solution in the works.
You should be on your guard if you receive an unexpected WhatsApp two-factor authentication attempt – someone may be trying to close your account. Forbes Report about Android police) that security researchers Luis Márquez Carpintero and Ernesto Canales Pereña discovered a bug that could allow attackers to block your account if they have your phone number.
The perpetrator first requests several two-factor SMS codes and guesses them incorrectly, so that WhatsApp blocks logins on his device for 12 hours. After that, they register a new email address and email the support team to deactivate the number due to a lost or stolen account. Since WhatsApp automatically disables the number without verifying the authenticity of the request, you may be locked out without any input.
While you can theoretically revert to your WhatsApp account after this 12-hour window has expired, the attackers could attempt to ban you permanently by repeating the code requests two more times and waiting until that third period to email you to send the company. When they do, you will be asked to wait “-1 seconds” and you will have no choice but to ask WhatsApp for help in restoring your account.
See also: WhatsApp vs Telegram vs Signal: Which App Should You Use?
WhatsApp did not discuss a possible solution to the account error in a statement Forbes. Instead, it was recommended that users provide an email address with two-factor authentication to assist employees should they ever encounter this “unlikely problem”. Anyone attempting such an attack would violate the terms of use, added a company spokesman.
It is true that you are unlikely to see many such attacks. Intruders are usually interested in hijacking accounts rather than deactivating them, and you will know that something is wrong with this first series of SMS code requests. You should contact WhatsApp support immediately if you notice this activity.
However, there may be instances when someone wants to cause grief and WhatsApp makes it easy to find the owner of a phone number by searching for it. More importantly, it raises questions about the security of the WhatsApp account. Facebook’s own service could theoretically stop this by relying on trusted devices instead of phone numbers and manually review deactivation requests to spot suspicious activity.
Until that changes, it is best to just keep an eye on your text messages and act quickly.
