WhatsApp is used by billions of people around the world without knowing a fact that the chat application has a gaping hole in its security because of which you can end up getting your account suspended. All the attacker needs is your phone number.
The attack conducted is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The attacker downloads and punches in your phone number but he obviously won’t be able to log in to your account as the two-factor authentication system comes into play as WhatsApp is sending you the code to login. Once the attacker makes multiple failed attempts, WhatsApp disables the ability to get an OTP text for verification for the next 12 hours and your login is now locked.
Now up until here, there are no issues but here comes the tricky part. The attacker will now send an e-mail to WhatsApp, claiming that their phone number which is actually yours, has been lost or stolen and that the account associated with your number needs to be deactivated.
WhatsApp apparently “verifies” this with a reply email, and suspends your account without any reply from your side. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account. At the very least, the only good we can see here is that the attacker cannot gain access to any of your messages but blocking you out of your account with you having no information about it, is disturbing.
Currently, there’s no solution to this security hole and there’s no evidence that the technique is being used by various people to lock others out of their accounts on WhatsApp.
Picture Credits: Forbes