This WhatsApp vulnerability is pretty stupid, but it can lock you out of your account indefinitely
Security researchers have found a new vulnerability in WhatsApp that may prompt more users to quit the Facebook-owned messaging service. Malicious actors can easily exploit this vulnerability to lock you out of your WhatsApp account indefinitely, making it more than just a minor inconvenience for the messenger’s 2 billion+ users. But that’s not the worst part.
According to researchers Luis Márquez Carpintero and Ernesto Canales Pereña (via Forbes), attackers don’t require any special software or training to exploit this vulnerability. They only need access to your phone number. Once they have that, they can lock you out of your WhatsApp account without much effort. And here’s how it works.
WhatsApp requires two-factor authentication whenever you log in on a new device. For this, the service sends a six-digit code to your phone number for verification. In case you enter the wrong code several times, WhatsApp suspends your account automatically for 12 hours.
Attackers can exploit this two-factor authentication system by installing WhatsApp on a new device, entering your phone number, and repeatedly entering the wrong code. While this will prevent you from logging in on a new device for the next 12 hours, it won’t affect your current WhatsApp install. It’ll continue to work as intended.
To prevent you from logging in on a new device indefinitely, an attacker only needs to repeat the aforementioned steps thrice. On the third 12-hour cycle, the app’s suspension timer will break and start showing a “-1 seconds” timer instead. Once that bug shows up, WhatsApp won’t let you log in on a new device at all. However, your current install will continue to work. But the exploit doesn’t end there, as it can be chained forward to drastically increase its impact.
The attacker’s final move will break your current install as well, and you’ll be locked out of your account permanently. For this, all the attacker needs to do is send WhatsApp an email asking the service to deactivate your phone number. WhatsApp might send an automated reply asking the attacker to confirm the number, and once they confirm, WhatsApp will automatically deactivate your account without your knowledge.
Your current WhatsApp install will then stop working suddenly, and you’ll see the following notification: “Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.” Now, when you try to verify your phone number, you’ll see the “-1 seconds” suspension timer, and you won’t be able to log in at all.
Since there is no sophistication to this attack, anyone with access to your phone number can easily lock you out of your WhatsApp account in a matter of days. Therefore, WhatsApp needs to address this glaring issue immediately.
The messenger has already been alerted of the issue. In response to the disclosure, a WhatsApp spokesperson told Forbes that “providing an email address with your two-step verification helps our customer service team assisted people should they ever encounter this unlikely problem.” The fact that WhatsApp considers this to be an “unlikely” problem should be reason enough for many users to move away from the service. On top of that, the spokesperson added that those attempting the exploit would be violating WhatsApp’s terms of service. As if that will scare away all the hackers and prevent pranksters from trying the exploit on an unsuspecting user.
We urge our readers not to exploit this vulnerability, not because violating WhatsApp’s terms of service will land you in jail, but because it’s a rather shitty thing to do. Also, if you’re finally ready to switch to a different service, check out our in-depth guide on WhatsApp alternatives that highlights all the pros and cons of switching to another platform.