They discover a flaw in WhatsApp that allows an account to be blocked once its phone number is known

The logo of Facebook Inc.’s WhatsApp messaging app has been arranged. To get a smartphone photo in Hong Kong, China, on Tuesday, July 7, 2020. The internet giants of Facebook Inc. To Google and Twitter Inc. They will not do so by processing user data requests from the Hong Kong government amid concerns that the new security law may criminalize the protests. Photographer: Lamyck / Bloomberg

They warn of a new WhatsApp vulnerability that allows cybercriminals to block any user’s account just by knowing the phone number associated with the profile. Within twelve hours, an attacker can take away access to the legitimate user and this issue affects even those who have the second authentication factor active.

This defect, identified by cybersecurity researchers Luis Marquez Carpentero and Ernesto Canales Berina, and explained in detail in Forbes, Due to two separate processes in WhatsApp, used by a cybercriminal, that allow him to block an account and prevent the owner from accessing it again.

The first part of the vulnerability is that anyone can enter a WhatsApp user’s phone number. In this case, the victim receives a six-digit verification code via SMS or by calling, as well as a notification regarding the code request, in which he remembers that he should not share this information with anyone under any circumstances.

The security drawback is that cyber criminals can perform this process while the user continues to use their WhatsApp account in a normal way. The attacker will not receive the code, as he will reach via SMS to the phone of the rightful owner, so he will incorrectly enter various keys. By repeatedly entering an incorrect password, cybercriminals can select the app’s option to send a new code within twelve hours, preventing security codes from being entered in the meantime.

See also  The Osiris Rex spacecraft will study the asteroid again ...

As a second part of the vulnerability, cybercriminals can send an email to WhatsApp Support, warning of an alleged phone theft and requesting that the account be deactivated.. In this process, you only need to confirm the phone number associated with the account.

Within twelve hours, an attacker can rob a legitimate user (Image: Private)
Within twelve hours, an attacker can rob a legitimate user (Image: Private)

WhatsApp receives an email indicating a phone number but does not confirm whether it is from a legitimate user. There are no follow-up questions to confirm if the person is the owner of the number.

Once this is done, the messaging service begins the process of deactivating the user’s account, and the victim receives a notification informing him that his number is no longer associated with the account. When trying to reset and entering the phone number, the app does not send a new code by SMS and warns that it is necessary to wait for twelve hours because so many requests have been made before.

However, after twelve hours, instead of enabling a new icon, WhatsApp warns that there is “-1 seconds” left to generate a new SMS key. This error message is displayed to both the victim and the attacker.

This way, the user’s account is permanently blocked, according to the researchers, and the victim will not be able to reactivate it unless they directly contact WhatsApp support to manually review the status.

The combination of the account verification method, the addition of wrong code limits that can be entered, and automated actions based on mail orders can lead to this type of abuse that may lead to the account being closed.

See also  It brought in over $ 76 million

What do you do in these cases?

A WhatsApp spokesperson consulted by the aforementioned news site said:Providing an email address with two-step verification helps our customer service team assist people in the rare event that they encounter this rare issue. The circumstances identified by this investigator violate our Terms of Service and we encourage anyone who needs assistance to email our support team so we can investigate. “

In addition to registering an email when the second authentication factor is activated, as soon as you notice something strange such as receiving messages with WhatsApp activation codes that have not been requested, it is recommended that you contact the support team immediately to expect a system shutdown after 12 hours.

Read on:

Lovell Loxley

"Alcohol buff. Troublemaker. Introvert. Student. Social media lover. Web ninja. Bacon fan. Reader."

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top