Security researchers have discovered a new vulnerability in WhatsApp. In their opinion, the problem is so serious that it could induce many users to stop using this messenger for good. The fact is that using this vulnerability. Attackers can permanently block the WhatsApp account.
According to researchers Luis Marquez Carpintero and Ernesto Canales Perenya, attackers don’t even need any specific software or skills to exploit the vulnerability. They need to know the user’s phone number. In the future, they can effortlessly block the user from accessing his WhatsApp account.
When trying to log in to a new device, WhatsApp requires two-factor authentication. For verification, a 6-digit code is sent to the user’s phone number. If you enter the verification code incorrectly several times on a new device, the account is automatically suspended for 12 hours. Thus, the attacker only needs to know the victim’s phone number, install the WhatsApp application on a new device, enter the number and enter the wrong codes one after the other. This will block the ability to sign in on the new device for 12 hours but will not affect the ability to use the application on the legitimate user’s existing device.
If you repeat this procedure 3 times, then the account suspension timer in the application fails after the third attempt. Instead of the next 12 hours, it will show -1 second. And after that, WhatsApp completely blocks the ability to sign-in on the new device. On the old device, work will continue as usual. But that’s not all.
The attacker’s final stage allows an attacker to completely block a user account, even on an old device. To do this, the attacker needs to send an email request to WhatsApp to deactivate the phone number. In response, the service will send an automatic response to the attacker, asking him to confirm the phone number he already knows. And after confirming the phone number, WhatsApp will automatically delete the user account. The user himself will see the notification “Your phone number is no longer registered in WhatsApp on this phone. This may be because you registered it on a different phone. If you haven’t, please confirm your phone number to sign in to your account again. ” But after that, when trying to confirm his number, the user will see only a pause timer with a display of -1 second. And you won’t be able to log in anymore.
A source: wccftech