An attacker can lock you out of the app using just your phone number and without requiring any action on your part.
If you use WhatsApp, you may want to be wary of an attack where cybercriminals could suspend your account using only your phone number. The underlying loophole abuses a lapse in security of two independent WhatsApp processes, according to Forbes, which quoted research by Luis Márquez Carpintero and Ernesto Canales Pereña.
For context, when you first go through the process of setting up your WhatsApp account on a device, you’re asked for your phone number to which a verification code is sent. Once you enter the code, you’re prompted for your two-factor authentication (2FA) number to confirm your identity.
However, there is no way to prevent anyone from using your number in the verification process. If an attacker were to do that, you would receive calls and messages from WhatsApp with a verification code, together with a notification urging you not to share the registration code with anyone. The criminal could do this repeatedly, whereas you might disregard the messages as a bug.
The requests would ultimately trigger WhatsApp’s limit on the number of times the codes can be sent and would also cause codes to be blocked after several wrong attempts – both for 12 hours. The timeout would affect you too, although you might not notice unless you log out in the interim.
In the next step, the threat actor would create a new email address and shoot an email to WhatsApp’s support with the subject “lost/stolen phone” and will ask them to deactivate your number. Apparently, the platform will verify the attacker’s “identity” only by sending out an automatic email that requests your number again, to which the impersonator will oblige. WhatsApp will then suspend your account. And since the limit on verification attempts has been reached, you won’t be able to log in until the 12-hour timer runs out.
RELATED READING: Wormable Android malware spreads via WhatsApp messages
Unfortunately, if the attacker were to abuse the 12-hour cycle three times in a row, WhatsApp would crash and instead of prompting the user to “try again after 12 hours” it will show a message reading “try again after -1 seconds”. The researchers warned that if the attacker waited until this point, there would be no way to get your account back unless you find someone at WhatsApp willing to help.
Speaking to Forbes, a WhatsApp spokesperson said that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”
The issue has caught the eye of ESET Security Specialist Jake Moore, who actually showed recently how someone could take control of your WhatsApp account by just knowing your phone number. Moore warned that the new flaw shouldn’t be taken lightly, especially since it could impact millions and is relatively easy to pull off.
“There is no way of opting out of being discovered on WhatsApp,” he said. “Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN.”
written by Amer Owaida, ESET We Live Security