WhatsApp is the most widely used encrypted messenger service used around the world, which means that it also receives a fairly large amount of attention from hackers and attackers trying to find loopholes and security flaws in the service.
One such flaw that was discovered last weekend can get a user’s WhatsApp account completely suspended for hours on end without any easy solution for those affected by such an attack.
Discovered by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, the attack can be used by a malicious actor to lock you out of your account, according to Forbes. In this case, it could be an estranged partner, a troll or an attacker who simply wants to lock you out of your account for an extended period. Once locked out of your account, there is no easy or immediate way to regain access to your account.
The attack itself is quite straightforward. An attacker downloads the WhatsApp app on a device and enters your phone number and taps the Verify button. Now they don’t actually have your SIM card, so you’ll begin receiving the verification codes instead of them. But since they don’t actually want to gain access to your account, they don’t want the code. Instead, the attackers make multiple failed attempts, retrying the login process until you are unable to request more codes for half a day.
At this point, you still have access to the WhatsApp service on your current smartphone, so the attacker emails WhatsApp support and asks for your (the target’s) number to be deactivated as the device has been stolen – WhatsApp will reply to that email to confirm, and just like that, your WhatsApp account is suspended.
According to WhatsApp, providing your email address with your six-digit two-factor authentication code could mitigate the issue, but that means sharing another piece of personal information with WhatsApp. – Hindustan Times, New Delhi/Tribune News Service