WhatsApp is found to have a vulnerability that can allow an attacker to suspend your remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses. A large number of WhatsApp s are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you've enabled two-factor authentication (2FA) for your WhatsApp .
Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp . As first reported by Forbes, the researchers found that the flaw exists on the instant messaging app due to two fundamental weaknesses.
The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp unless the attacker obtains the six-digit registration code you'll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker's phone for 12 hours.
However, while the attacker won't be able to repeat the sign in process with your phone number, they will be able to WhatsApp to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end.
This will deactivate your WhatsApp , meaning that you'll no longer be able to access the instant messaging app on your phone. You won't be able to avoid that deactivation by using 2FA on your WhatsApp as the has apparently been deactivated through the email sent by the attacker.
In a regular deactivation case, you can activate your WhatsApp back by ing your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp . This means that you'll also be restricted from getting a new registration code on your phone number for 12 hours. The attacker can also repeat the process of failed attempts to restrict your for another 12 hours when the first one expires.
This highlights that WhatsApp will treat your phone the same way it is treating the attacker's one and will block sign in access. You'll only have the option to get your WhatsApp back by ing the messaging app over email.
A WhatsApp spokesperson told Gadgets 360 that s could avoid the problem of getting their s deactivated by attackers using the newly discovered flaw by ing their email address to their via two-step verification.
“Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our of service and we encourage anyone who needs help to email our team so we can investigate,” the spokesperson said.
However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses.
It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours.
WhatsApp has a massive base of over 400 million s in India alone. Most of the s aren't likely to have their email addresses ed with their s at this moment. Therefore, the scope of the reported vulnerability is quite wide.
Does WhatsApp's new spell the end for your privacy? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.