ESET, a leading company in proactive threat detection, alerts WhatsApp users about a possible attack that cybercriminals may resort to and through which they can suspend accounts using only the users’ phone numbers.
When setting up a WhatsApp account for the first time on a device, the phone number is requested to send a verification code. Once the code is entered, the Double Factor Authentication (2FA) key will be requested to confirm the identity of the user. This specific attack takes advantage of a lapse in the security of two independent WhatsApp processes, they explain in an article about the investigation.
However, there is no way to prevent someone from using any number in the verification process. If an attacker did that, the user would receive WhatsApp calls and messages with a verification code, along with a notification urging them not to share the registration code with anyone. The cybercriminal could do this repeatedly, and the user might not give importance to the messages considering that it is an error.
These requests would ultimately trigger WhatsApp’s limit on the number of times codes can be sent, and would also cause code entry to be blocked after multiple unsuccessful attempts, in both cases for 12 hours. During this time the application on the phone will continue to function normally, but the attacker will have blocked the ability to send a new code or enter a code on the verification screen. Therefore, downtime may not affect the user unless they log out during that time.
The attacker could then create a new email address and send an email to the WhatsApp support team with the subject “lost / stolen phone” requesting that they deactivate the user’s number. The platform, apparently, will verify the “identity” only by sending an automatic email requesting the user’s phone number, thus the attacker impersonates the identity of the legitimate user.
In this way, WhatsApp will deactivate the account, and since the limit of verification attempts had been exceeded, the user will not be able to log in until 12 hours have passed and the verification code is requested again.
Unfortunately, if the attacker doesn’t stop and decides to repeat this process three times in a row that triggers the 12-hour lockdown, WhatsApp would fail and display a message saying “try again after -1 second.” The researchers warn that if the attacker reaches that point, there would be no way for the user to recover the account unless they find someone on WhatsApp willing to help.
Speaking to Forbes magazine, a WhatsApp spokesperson said that “providing an email address and double factor authentication will help our customer service team help people should they ever encounter this issue. . The circumstances identified by this investigator would violate our terms of service and we encourage anyone who needs help to email our support team so that we can investigate. ”
The issue caught the attention of ESET security specialist Jake Moore, who recently showed how someone can take control of your WhatsApp account just by knowing your phone number. Moore cautioned that the new flaw should not be taken lightly, especially since it could affect millions and is relatively easy to pull off.
“There is no way to opt out of being discovered on WhatsApp,” he said. “Anyone can type in a phone number to see if there is an associated account. Ideally, a change to improve privacy would help protect users from this, as well as forcing people to implement a two-step verification PIN. ”