WhatsApp flaw lets anyone lock you out of your account

WhatsApp flaw lets anyone lock you out of your account

An attacker can lock you out of the app using just your phone number and without requiring any action on your part



If you use WhatsApp, you may want to be wary of an attack where cybercriminals could suspend your account using only your phone number. The underlying loophole abuses a lapse in security of two independent WhatsApp processes, according to Forbes, which quoted research by Luis Márquez Carpintero and Ernesto Canales Pereña.


For context, when you first go through the process of setting up your WhatsApp account on a device, you’re asked for your phone number to which a verification code is sent. Once you enter the code, you’re prompted for your two-factor authentication (2FA) number to confirm your identity.


However, there is no way to prevent anyone from using your number in the verification process. If an attacker were to do that, you would receive calls and messages from WhatsApp with a verification code, together with a notification urging you not to share the registration code with anyone. The criminal could do this repeatedly, whereas you might disregard the messages as a bug.


The requests would ultimately trigger WhatsApp’s limit on the number of times the codes can be sent and would also cause codes to be blocked after several wrong attempts – both for 12 hours. The timeout would affect you too, although you might not notice unless you log out in the interim.


In the next step, the threat actor would create a new email address and shoot an email to WhatsApp’s support with the subject “lost/stolen phone” and will ask them to deactivate your number. Apparently, the platform will ver ..