If you are someone who connects with their friends, family and colleagues via WhatsApp, then beware!
A glaring new vulnerability has been found in the Facebook-owned messaging platform’s security that a threat actor can easily leverage to suspend your WhatsApp account with no possible recourse entirely. But that’s not all.
To make things worse, there is no possible solution available for this issue as of now. So, how does this newly discovered security flaw can get exploited? Let’s find out.
The attacker first installs the WhatsApp app on a new device and enters the victim’s phone number to activate the chat and other related services. Next, they face WhatsApp’s 2-FA authentication system, which sends login prompts to the victim’s actual phone instead.
Finally, after multiple failed repeated attempts, when the login gets locked for 12 hours straight, this is where the tricky part begins.
With the victim’s official WhatsApp account locked, the malicious threat actor goes on to send a support message to the app from their email address claiming that he/she is the victim who has lost the device and thus the account associated with the number needs to be deactivated. After receiving the email, WhatsApp proceeds to verify the claim with a reply email and suspends the victim’s account without asking for any further inputs.
This dubious process can be repeated several times by an attacker to create a semi-permanent lock on the victim’s account. But thankfully, it is not something that is currently prevailing.
Luis Márquez Carpintero and Ernesto Canales Pereña reported the attack as a ‘proof-of-concept’ to display WhatsApp’s vulnerability. The result, as discussed above, is quite disturbing and devastating. However, the only silver lining here is that a threat actor cannot use this method to gain access to a victim’s account. No confidential text messages or contact information gets exposed in the process. The attacker can only block access to WhatsApp for the account’s legitimate owner.
When asked to comment on this vulnerability’s existence, WhatsApp reverted quite evasively and didn’t indicate they are working to reserve this security flaw.
A company representative said that the hypothetical scenario can be easily avoided if one provides an email address with their 2FA authentication credentials.
Furthermore, he added that violating the said vulnerability is a violation of WhatsApp’ terms of service. But will an actual threat actor take that into account? Probably no, as one can anonymously with the help of a throwaway email.
All in all, it seems that it is upon the users to look out for themselves after the company shared its less-than-satisfactory response. Maybe, Facebook, WhatsApp’s parent company, will look into it once Zuckerberg gets hit by the same attack, similar to how his contact details surfaced in the recent Facebook data breach. We will keep you updated on all future developments. Until then, stay tuned.