Researchers have discovered that it is alarmingly easy to lock anyone out of their WhatsApp account, even with two-factor authentication (2FA) switched on.
As first reported by Forbes, disabling an account requires the exploitation of two fairly weak WhatsApp processes. While this isn’t as bad as straight up hijacking it, it’s still concerning that it’s this easy to lock out anyone from their WhatsApp account.
It’s worth remembering that WhatsApp allows you to search any phone number to see if its connected to a WhatsApp account. You can’t opt out of this search so all anyone has to do is know your number in order to mess with your account.
Now, let’s take a look at how this vulnerability works.
WhatsApp account exploitation #1
The first is directly related to your phone number. To set up WhatsApp on a phone (either for the first time or when you’re switching devices) you’ll be set a six digit code for verification purposes.
The problem here is that there is nothing stopping a bad actor from punching your phone number into the app, even if you already have it.
This will result in you getting sent code request texts. If you think this will stop the attacker, you’d be wrong. They don’t need the verification codes.
There is a limit to the verification process. After requesting codes a certain number of times the WhatsApp account on the attacker’s phone will say “you have guessed too many times… try again in 12 hours.”
That’s right, it will be sent to the attackers phone, not yours. At this point, unless you clocked the code request, you may not even notice any of this happening.
And if you did notice, it’s too late. The attacker has blocked your ability to send your own new codes to switch devices.
Account exploitation #2
Now for the next step: blocking your account.
They can do this by creating a fake email address and emailing [email protected] about a lost/stolen account.
As Forbes points out in its example, all an attacker needs to do is quote your phone number and asked for WhatsApp to deactivate the account.
There is no verification process for this and the account will most likely be deactivated (though one would hope this changes soon now these flaws have been brought to light).
From here WhatsApp would stop working on your phone. “Your phone number is no longer registered with WhatsApp on this phone,” the automated message reads. “This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”
But surely you can just verify your number again, like the auto message says? Nope. Because verification codes have been locked for 12 hours, as outlined in exploitation one.
“You’ve tried to register [number] recently,” the app will read. “Wait before requesting an SMS or a call.”
But doesn’t that mean you can simply get a verification code once the 12 hour countdown is completed? Yes, but here’s where the real problems begin.
As the researchers discovered, if the attacker repeats this 12 hour cycle three times a big vulnerability appears. The app will no longer say you need to wait 12 hours. It will now say:
You have guessed too many times… try again after -1 seconds.
If the attacker knows what they are doing, they will wait until this third cycle to email WhatsApp support to deactivate the number, because you won’t be able to simply re-register it due to this weird bug.
We don’t know if or when this will be fixed
Forbes spoke to WhatsApp about the issue, and it doesn’t really sound like much is being done about it.
“Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem,” a spokesperson told the publication.
“The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”