If you’re a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend. It’s possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there’s no solution for this issue.
This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
Here’s where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.
The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The results are disturbing, but at the very least, this method can’t be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.
There’s no indication that this technique is being used in the wild. But when pressed for comment, WhatsApp was evasive, and did not indicate that it’s working to resolve the hole in its security. A representative said that providing an email address with your two-factor authentication credentials can help avoid this hypothetical scenario, but that still puts the responsibility on WhatsApp for actually following its own best practices.
WhatsApp, which is owned by Facebook, warns that using this vulnerability violates its terms of service. Which isn’t much of a deterrent, since it can be performed anonymously with any mobile device and a throwaway email. As an Android Police staff member opined, maybe “it’ll get fixed when someone does this to Zuckerberg’s number, which was recently leaked in a Facebook account dump.” It seems like security issues, and a less-than-satisfactory response to them, will continue to be a problem in Facebook’s growing corporate empire.