WhatsApp has been discovered to contain a flaw that allows an intruder to secretly suspend your account using your phone number. Security experts have discovered a bug in the instant messaging app that seems to have existed for quite some time due to inherent flaws. Many WhatsApp users are said to be at risk because a remote intruder will deactivate WhatsApp on your phone and then prevent you from reactivating it. Even if you’ve allowed two-factor authentication (2FA) for your WhatsApp account, the flaw can be abused.
Luis Márquez Carpintero and Ernesto Canales Perea, security experts, discovered a loophole that allows attackers to remotely suspend the WhatsApp account. According to Forbes, the researchers discovered the bug on the instant messaging app due to two inherent flaws.
The first flaw helps an intruder to use WhatsApp on their computer to access your phone number. If the perpetrator obtains the six-digit registration code you’ll get on your computer, this would not grant access to your WhatsApp account. Many unsuccessful attempts to sign in with your phone number would also disable code entry on the attacker’s phone for 12 hours.
Although the perpetrator won’t be able to use your phone number to sign in again, they will be able to contact WhatsApp help to get your phone number deactivated from the app. They only need a new email address and a clear email informing them that the phone has been robbed or misplaced. WhatsApp will ask for clarification in response to the text, which the intruder will get immediately.
Your WhatsApp account will be deactivated as a result, and you will no longer be able to use the instant messaging app on your computer. You won’t be able to prevent the deactivation of your WhatsApp account by using 2FA, since the account was evidently deactivated by the attacker’s email.
If your WhatsApp account has been deactivated for some reason, you can reactivate it by checking your phone number. This is not necessary, though, if the perpetrator has already locked the authentication process for 12 hours by attempting to sign in to the WhatsApp account several times. This means you won’t be able to get a new registration code on your phone number for the next 12 hours. When the first unsuccessful sign-in attempt expires, the intruder will repeat the procedure to lock the account for another 12 hours.
This means WhatsApp will treat your phone the same way it does the attacker’s and will prevent you from signing in. You’ll be able to reclaim your WhatsApp account only by sending an email to the chat app.
Users will prevent having their accounts deactivated by attackers using the newly discovered bug by registering their email address with their account through two-step authentication, according to a WhatsApp spokesperson.
“Providing an email address as part of the two-step authentication allows our customer service team to assist people in the unlikely event that they run into this problem. The situation described by this researcher would be in violation of our terms of service, and we urge anyone who requires assistance to contact our support staff so that we can look into it,” the spokesperson added.
WhatsApp, on the other hand, hasn’t said if it’s working to patch the flaw so that it doesn’t have a negative impact on the public.
It is currently unknown if the vulnerability has been abused in the wild. However, now that the flaw’s specifics are public, it might easily be used to prevent others from using WhatsApp — at least for a few hours.
WhatsApp has a global user base of over two billion people, with over 400 million users in India alone. At this time, the majority of users are unable to have their email addresses associated with their accounts. As a result, the identified vulnerability’s reach is very wide.