13 April 2021

Attacker can use a WhatsApp subscriber's phone number to suspend his service


A major security exploit can be used to suspend your WhatsApp account by a bad actor without your permission. The only information that the attacker needs is your phone number. According to Forbes, the attacker's first step is to install WhatsApp on a new phone using your phone number to activate the service.

What happens next is that WhatsApp, using two factor authorization (2FA), tries to verify that it is you who just set up the new WhatsApp service on your phone. Since it isn't you, this procedure will fail over and over again and if done multiple times, it results in your account log-in being suspended for 12 hours. For the next step, the attacker sends an email to WhatsApp stating that his phone (which is really your handset) has been stolen or lost and asks that the WhatsApp account associated with the number be shut down.

Following this request, WhatsApp sends an email confirming that the account has been suspended without asking the attacker for any kind of information that might prove that the request to suspend the account came from the legitimate owner of said account. This process can be repeated numerous times which basically locks you out of your WhatsApp account.


A pair of security researchers named Luis Márquez Carpintero and Ernesto Canales Pereña completed a proof of concept that showed how this attack can block you from using your WhatsApp account. What it can't do is give bad actors a way to enter your account and your confidential messages remain confidential. WhatsApp hasn't said anything yet about plugging the gaping security hole.

The Facebook-owned messaging app did suggest was that users provide it with their e-mail address and two factor authorization "credentials" to help prevent the above mentioned scenario from taking place. But even if this info is given to WhatsApp, you still have to rely on it to follow through. WhatsApp does point out that taking advantage of this exploit violates its Terms of Service which we wouldn't expect to be a deterrent against a hacker.

ESET's Jake Moore says, "This is yet another worrying hack, one that could impact millions of users who could potentially be targeted with this attack. With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is alarming at what ease this can occur."

Source: phonearena.com

No comments: