Two security experts discovered a new vulnerability on WhatsApp that could lead to more users wanting to close their Facebook messaging account. Hackers can easily exploit this vulnerability Ban you from your WhatsApp account indefinitelyWhich makes it more than just an annoyance to the messaging app’s 2 billion users. But this is not the worst part.
According to researchers Luis Márquez Carpintero and Ernesto Canales Pereña, attackers do not need any special software or training to exploit this vulnerability. They just need access to your phone number. Once you own this, they can ban you from your WhatsApp account without much effort. Here’s how it works.
WhatsApp requiresTwo-factor documentation Every time you log in to a new device. For this purpose, the service sends a six-digit code to your phone number for verification. If you enter the wrong code multiple times, WhatsApp automatically suspends your account for 12 hours.
Hackers can take advantage of this two-factor authentication system by installing WhatsApp on a new device, entering your phone number and frequently typing in the wrong code. Although this will prevent you from accessing a new device for the next 12 hours, it will not affect the actual WhatsApp installation, which will continue to work as expected.
To prevent you from gaining access to a new device indefinitely, the attacker only needs to repeat the above steps three times.
In the third 12-hour cycle, the app’s sleep timer will pause and start showing a timer that reads “-1 second”. Once the error appears, WhatsApp will not allow you to access a new device. However, your current installation will still work. But the exploitation does not end there, as it can greatly increase its impact.
The hacker’s final step will also terminate your current installation and your account will then be permanently locked. For this, all the attacker has to do is send an email to WhatsApp asking the service to deactivate your phone number. WhatsApp may send an automatic response asking the attacker to confirm the number, and once it is confirmed, WhatsApp will automatically deactivate your account without your knowledge.
Your current WhatsApp installation will stop working suddenly and you will see the following notification: “Your phone number is no longer registered in WhatsApp on this phone. This may be because you have registered it on another phone. If you do not do this, verify your phone number to log into your account.” When you try to verify your phone number, you will see the sleep timer at “-1 second” and you will not be able to log in.
Since there is no complication in this attack, anyone with access to your phone number can easily block it from your WhatsApp account within days. So, WhatsApp should solve this obvious problem right away.
A spokesperson for WhatsApp told Forbes that “Providing an email address with two-step verification helps our customer service team assist people in the event that they encounter this unlikely issue.” The fact that WhatsApp considers this an “unlikely” problem should be a concern for many users. Moreover, the spokesperson added that those trying to exploit violate WhatsApp’s terms of service. As if doing so scares all hackers and prevents phishers from trying to exploit an unwary user.
Obviously, we urge our readers not to exploit this vulnerability, not because violating WhatsApp’s terms of service could land you in jail, but because it is really bad.