WhatsApp users beware: There’s a hole in the app’s security that could let attackers suspend your WhatsApp account. All they need is your phone number.
The scary thing is that the method an attacker could use isn’t all that difficult. The only upside is that the attack doesn’t expose your account or any personal information. So the only reason they’d want to do it would be pure malice.
- These are the best encrypted messaging services you can use
- Tired of WhatsApp? Here are the best WhatsApp alternatives
- Plus: You can now play PS5 games on PS4 — here's how
The first stage of the attack is for the attacker to install WhatsApp on a brand new device and use your number to activate the app. Since they don’t have access to your phone, they won’t be able to verify the number belongs to them and actually access your WhatsApp account.
The bad news here is that repeatedly sending out two-factor authentication codes, and failing to enter them correctly, will lead to your own login being locked for 12 hours.
The second stage is a little bit more difficult, but isn’t all that hard. Once the account is locked, the attacker can email WhatsApp support claiming to be you, and declare your phone has been either lost or stolen and the WhatsApp app on it needs to be deactivated.
Because WhatsApp doesn’t ask for an email address when you sign up, this gets “verified” with whatever email the attacker messaged support with. Then your account is suspended by an automated process. Should the attacker repeat the process multiple times, it can lead to a semi-permanent lock on your entire account.
Thankfully there are no reports of this attack actually being used out in the world. Instead it’s a proof of concept from security researchers Luis Márquez Carpintero and Ernesto Canales Pereña (via Forbes (opens in new tab)).
However the security hole does exist, and it isn’t particularly complicated. To make matters worse, Whatsapp has not confirmed whether it has any plans to fix the problem. That's an issue, considering your account can be deactivated anonymously, with no way of identifying which malicious actors are responsible.
If it happens, the only thing you can do is get in touch with WhatsApp support, and try to get hold of a human being.
Obviously the problem needs fixing, and we can only hope WhatsApp is actively working on a fix, as at the time of writing, this security hole is ripe for exploitation.