April 14th, 2021
Your WhatsApp account can be suspended by anyone who has your phone number
If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend. It's possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there's no solution for this issue.
This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can't verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
Here's where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp "verifies" this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account. The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña. The results are disturbing, but at the very least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.
There's no indication that this technique is being used in the wild. But when pressed for comment, WhatsApp was evasive, and did not indicate that it's working to resolve the hole in its security. A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices.
WhatsApp warns that using this vulnerability violates its terms of service. Which isn't much of a deterrent, since it can be performed anonymously with any mobile device and a throwaway email. As a cyber security professional I say that maybe "it'll get fixed when someone does this to Zuckerberg's number, which was recently leaked in a Facebook account dump." It seems like security issues, and a less-than-satisfactory response to them, will continue to be a problem in Facebook's growing corporate empire.
Leave a Reply.
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.
In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.
The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.
Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.