The portal reported a security vulnerability that could actually cause any user of WhatsApp to lose access to their account. Forbes. Two-step verification won’t help either; On the contrary, it will significantly contribute to your inability to continue using your account.
Spanish scientists Luis Marquez Carpintero and Ernesto Canales Berina pointed to a worrying security weakness of the popular Facebook-owned chat app. According to their findings, the attacker only needs to know the victim’s phone number.
He enters this when activating WhatsApp on the new device, but thanks to the two-stage authentication system that sends an SMS to the victim’s number, he cannot log into the account. But this is not what he is striving for. An account-friendly user will feel that WhatsApp’s two-stage security is working as expected. But the attacker continues to try to log into the victim’s account. And on purpose.
After several unsuccessful attempts, for security reasons, the login will be automatically blocked, or the sending of the verification SMS will be interrupted for 12 hours. At this point the attacker is waiting. Then he calls WhatsApp support from almost any email address, claiming that the phone associated with that phone number has been lost or stolen. And request that the account be deactivated.
No way? No, according to Forbes, WhatsApp will verify this request with an automatic email response asking for the number to be re-entered, but this is only the next step in registering the attacker. The support has no way of verifying whether the person requesting the account suspension is a real user or not. There are no further verification questions to confirm ownership of the phone number. Thus, the automatic process deactivates the account without the victim’s knowledge.
The chat application on the number holder’s phone will stop working after about an hour. You will be notified that the phone number is no longer registered in WhatsApp on this phone, although it may be registered on another device. Otherwise, the user must verify their number and log back into their account. However, due to the previous log-in ban by the attacker, the necessary authentication SMS would not arrive.
Additionally, by repeatedly attempting to log in incorrectly to the account, the attacker might de facto make any future login by the owner of the phone number completely impossible. All it takes is two twelve-hour sessions, then the app on the phone notifies you of too many login attempts using the information “Try again after -1 second”. At this point, the attacker could no longer even try to log in again. But even the real owner of the number.
This poses a relatively high risk for WhatsApp’s 2 billion users (further see WhatsApp is huge, used by 2 billion people). The attacker does not access the content of his communications, but that is not the goal of his actions. The most worrying thing is finding WhatsApp at the request of the portal Android The statement did not even indicate that it intended to address the vulnerability in any way.
The company representative indicated only that WhatsApp users should add an email address to their account information that could be contacted in similar cases. However, the company confirmed that exploiting this vulnerability violates our terms of service. For its part, this is practically simple excuses, since the said attack is completely anonymous: it can be executed from any mobile device and via a one-time email. It is impossible to draw the consequences for the attacker as a result of violating the terms.