WhatsApp users are being warned about a glaring security issue with the world’s most popular messaging app. The threat allows attackers to lock you out of your account by deactivating your WhatsApp. And what do bad actors need to wreak all this havoc? Nothing more than your phone number.
The terrifying new scam was first highlighted by a security expert writing in Forbes. Anyone can be blocked from their account in 36 hours, security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have cautioned.
The attack can be carried out as literally anyone can install WhatsApp on their device and enter in a mobile number belonging to someone else during the initial account set-up process. If someone does this, then you will receive texts and calls from WhatsApp giving you a crucial six-digit code needed to complete the setup process.
Unless a hacker someone manages to get you to send across this code, the likelihood of them managing to guess it is nigh-on impossible. So what would happen is an attacker would attempt to enter in this crucial code, and keep on failing.
So far, not a problem. The issue is after a number of failed attempts WhatsApp will put a pause on creating these codes. The chat app will notify someone attempting – and failing – to setup WhatsApp that they have to “Resend SMS/Call me in 12 hours”.
After this 12 hour period runs out an attacker needs to follow the same method as before twice to ensure WhatsApp blocks the creation of new setup codes. During the second 12 hour period, while new setup codes aren’t being generated, an attacker can create a fake email address and get in touch with WhatsApp support.
The bad actor can provide a target’s phone number and say their account has been lost or stolen and asking for it to be deactivated.
WhatsApp can then lock a user out of their account, without verifying the person getting in touch via e-mail is the same person that has the phone number provided. If the attacker waits until the second 12-hour cycle begins, then by the time the third one kicks in WhatsApp appears to break down.
Instead of being told that new set up codes can be created in 12 hours time, WhatsApp tells a user to try again in minus one seconds.
If the attack has progressed to this point, and the attacker has messaged WhatsApp support before a victim has, then the target will face a major headache trying to retrieve their account. Researchers said by this point it’s “too late” and instead of dealing with an automated help system a victim will have to try and track down someone to speak to in person.
Speaking about the threat, ESET’s Jake Moore said: “This is yet another worrying hack, one that could impact millions of users who could potentially be targeted with this attack. With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is alarming at what ease this can occur.”
While a WhatsApp spokesperson said “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”