While the result is more annoying than dangerous, a newly exploited quirk of WhatsApp’s two-factor authentication system seems to make it relatively easy for an attacker to block you from your account for various periods of time. And all it takes for a bad actor to get it done is at the time of writing to know the phone number you have associated with your WhatsApp account. That is it.
The attack itself is quite easy to perform. As Android police describes:
This newly discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it because the two-factor authentication system sends the login prompts to your phone instead. After multiple repeated and unsuccessful attempts, your login will be locked for 12 hours.
Here’s the tricky part: if your account is locked, the attacker sends a support message to WhatsApp from their email address, claiming that their phone has been lost or stolen, and that the account assigned to you. number, must be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input from you. The attacker could repeat the process several times in a row to create a semi-permanent lock on your account.
The silver lining here is that the attacks cannot actually be used hack your account, only to piss off you by making your account useless for a period of time (possibly permanently, if the attacker is really committed).
WhatsApp reps told Forbes That the easiest way to protect yourself from these types of attacks is to make sure you have an email address associated with your two-step verification process so that the attacker cannot forge your identity. You can do that now by pulling up WhatsApp, are drawers Settings, tap Two-step verification, and enter your email address (or check if you’ve already done so).
This won’t necessarily block the attack, but it will make it a lot easier for WhatsApp customer service to help you if you find yourself in a ‘prevented from verifying my account’ feedback loop – which is what will. to happen. happen when an attacker contacts WhatsApp impersonating you and claiming to be your account has been hacked and WhatsApp needs to deactivate it. (You will receive codes to reverse the erroneous unsubscribe, but you cannot enter them because of the previous trick, which temporarily banned you for entering too many incorrect 2FA codes.)
G / O Media can receive a commission
As Forbes’ Zak Doffman writes:
This is not complicated and should be easily resolved. WhatsApp could make sure that an app on a device with 2FA registered can avoid this problem by using 2FA as a circuit breaker. Even simpler, when multi-device access eventually appears, WhatsApp could use the concept of trusted devices to enable one verified app to authenticate another. This is a much better system and would disable this vulnerability.
I would expect WhatsApp to investigate this issue and patch the 2fA verification process (or account disablement process) to render these types of drive-by-style attacks ineffective. In the meantime, maybe consider converting a completely different WhatsApp numberif possible, to minimize the risk of being locked out.