WhatsApp flaw could let anyone lock your account — what you need to know

(Image credit: Anadolu Agency / Getty Images)

WhatsApp users beware: There’s a hole in the app’s security that could let attackers suspend your WhatsApp account. All they need is your phone number.

The scary thing is that the method an attacker could use isn’t all that difficult. The only upside is that the attack doesn’t expose your account or any personal information. So the only reason they’d want to do it would be pure malice.

The first stage of the attack is for the attacker to install WhatsApp on a brand new device and use your number to activate the app. Since they don’t have access to your phone, they won’t be able to verify the number belongs to them and actually access your WhatsApp account.

The bad news here is that repeatedly sending out two-factor authentication codes, and failing to enter them correctly, will lead to your own login being locked for 12 hours.

The second stage is a little bit more difficult, but isn’t all that hard. Once the account is locked, the attacker can email WhatsApp support claiming to be you, and declare your phone has been either lost or stolen and the WhatsApp app on it needs to be deactivated. 

Because WhatsApp doesn’t ask for an email address when you sign up, this gets “verified” with whatever email the attacker messaged support with. Then your account is suspended by an automated process. Should the attacker repeat the process multiple times, it can lead to a semi-permanent lock on your entire account.

whatsapp security flaw

A visual example of what a locked WhatsApp account looks like (Image credit: Forbes)

Thankfully there are no reports of this attack actually being used out in the world. Instead it’s a proof of concept from security researchers Luis Márquez Carpintero and Ernesto Canales Pereña (via Forbes).

However the security hole does exist, and it isn’t particularly complicated. To make matters worse, Whatsapp has not confirmed whether it has any plans to fix the problem. That's an issue, considering your account can be deactivated anonymously, with no way of identifying which malicious actors are responsible.

If it happens, the only thing you can do is get in touch with WhatsApp support, and try to get hold of a human being.

Obviously the problem needs fixing, and we can only hope WhatsApp is actively working on a fix, as at the time of writing, this security hole is ripe for exploitation.

Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.