WhatsApp is discovered to have a flaw that could enable attackers to remotely suspend your account using your phone number.
The vulnerability discovered by security researchers appears to have existed on the instant messaging app for quite some time now. Many WhatsApp users are said to be at risk because a remote intruder will deactivate WhatsApp on your phone and then prevent you from reactivating it.
Even if you have allowed two-factor authentication (2FA) for your WhatsApp account, the vulnerability can be exploited. The bug, discovered by security researchers Luis Márquez Carpintero and Ernesto Canales Perea, allows attackers to remotely suspend your WhatsApp account.
According to Forbes, the researchers discovered the bug on the instant messaging app due to two fundamental flaws. The first flaw allows an intruder to enter your phone number into WhatsApp, which is installed on their phones.
However, this will not allow the attacker access to your WhatsApp account unless the attacker obtains the six-digit registration code you’ll receive on your phone. Multiple unsuccessful attempts to sign in with your phone number would also block code entries on the attacker’s phone for 12 hours.
Although the intruder will be unable to sign in with your phone number again, they will be able to contact WhatsApp support and request that your phone number be deactivated from the app.
What they need is a new email address and a simple email informing them that their phone has been stolen or lost. In response to that email, WhatsApp will request clarification, which the attacker will provide quickly.
This will deactivate your WhatsApp account, preventing you from using the instant messaging app on your mobile. You won’t be able to stop the deactivation by using 2FA on your WhatsApp account because the account was obviously deactivated by the attacker’s email.
In the event of a routine deactivation, you can reactivate your WhatsApp account by verifying your phone number. This is not possible if the intruder has already locked the authentication process for 12 hours by attempting to sign in to your WhatsApp account several times.
This means you won’t be able to get a new registration code on your phone number for the next 12 hours. When the first failed sign-in attempt expires, the intruder will repeat the procedure to limit your account for another 12 hours.
WhatsApp has not disclosed whether it is working to address the flaw in order to avoid a negative impact on the public.