They warn of a new WhatsApp vulnerability that allows cybercriminals to block any user’s account just by knowing the phone number associated with the profile. Within twelve hours, an attacker can take away access to the legitimate user and this issue affects even those who have the second authentication factor active.
This defect, identified by cybersecurity researchers Luis Marquez Carpentero and Ernesto Canales Berina, and explained in detail in Forbes, Due to two separate processes in WhatsApp, used by a cybercriminal, that allow him to block an account and prevent the owner from accessing it again.
The first part of the vulnerability is that anyone can enter a WhatsApp user’s phone number. In this case, the victim receives a six-digit verification code via SMS or by calling, as well as a notification regarding the code request, in which he remembers that he should not share this information with anyone under any circumstances.
The security drawback is that cyber criminals can perform this process while the user continues to use their WhatsApp account in a normal way. The attacker will not receive the code, as he will reach via SMS to the phone of the rightful owner, so he will incorrectly enter various keys. By repeatedly entering an incorrect password, cybercriminals can select the app’s option to send a new code within twelve hours, preventing security codes from being entered in the meantime.
As a second part of the vulnerability, cybercriminals can send an email to WhatsApp Support, warning of an alleged phone theft and requesting that the account be deactivated.. In this process, you only need to confirm the phone number associated with the account.
WhatsApp receives an email indicating a phone number but does not confirm whether it is from a legitimate user. There are no follow-up questions to confirm if the person is the owner of the number.
Once this is done, the messaging service begins the process of deactivating the user’s account, and the victim receives a notification informing him that his number is no longer associated with the account. When trying to reset and entering the phone number, the app does not send a new code by SMS and warns that it is necessary to wait for twelve hours because so many requests have been made before.
However, after twelve hours, instead of enabling a new icon, WhatsApp warns that there is “-1 seconds” left to generate a new SMS key. This error message is displayed to both the victim and the attacker.
This way, the user’s account is permanently blocked, according to the researchers, and the victim will not be able to reactivate it unless they directly contact WhatsApp support to manually review the status.
The combination of the account verification method, the addition of wrong code limits that can be entered, and automated actions based on mail orders can lead to this type of abuse that may lead to the account being closed.
What do you do in these cases?
A WhatsApp spokesperson consulted by the aforementioned news site said:Providing an email address with two-step verification helps our customer service team assist people in the rare event that they encounter this rare issue. The circumstances identified by this investigator violate our Terms of Service and we encourage anyone who needs assistance to email our support team so we can investigate. “
In addition to registering an email when the second authentication factor is activated, as soon as you notice something strange such as receiving messages with WhatsApp activation codes that have not been requested, it is recommended that you contact the support team immediately to expect a system shutdown after 12 hours.