NEW DELHI: Security experts have found a flaw in the popular instant messaging app WhatsApp, where an attacker can temporarily suspend your WhatsApp account by simply using your phone number. Due to fundamental weaknesses, it has been quite some time that the flaw has existed. WhatsApp users now run the risk of their account getting temporarily disabled by a remote user who can restrict you from activating your account back. You can however exploit this vulnerability by enabling the two-factor authentication (2FA) for your WhatsApp account.
Luis Márquez Carpintero and Ernesto Canales Pereña, the two security researchers were the ones to discover that the flaw exists on the instant messaging app due to two fundamental weaknesses, which was reported first by Forbes.
The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. Unless of course, the attacker obtains the six-digit registration code you'll get on your phone, the attacker not get access to your WhatsApp account. Having failed multiple attempts to sign in using your phone number, the block code entries on WhatsApp installed on the attacker's phone will be restricted for 12 hours too.
Even if the attacker is unable to repeat the sign in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. All they need is a new email address and mailing that the phone has been stolen or lost. In response to that email, WhatsApp will demand a confirmation which the attacker will quickly provide.
This will lead to your WhatsApp account getting deactivated and you will no longer be able to access them on your phone. You cannot then escape deactivation even by using 2FA on your WhatsApp account as your account has been deactivated through the email sent by the attacker's end.
Unlike how in a regular deactivation case you can activate your WhatsApp account back by verifying your phone number, it is not possible to activate your account if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means you will be unable to get a new registration code on your phone number for 12 hours. The attacker can then repeat the process of failed sign ins multiple time suspending your account again after the initial period of 12 hour suspension gets over.
WhatsApp will not be able to differentiate between your phone and the attackers phone and block the sign in access. The only option you have to recover your WhatsApp account is by reaching out to WhatsApp through email.
Users could avoid the problem of getting their accounts deactivated by attackers through registering their email address to their account via two-step verification.
"Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate," said the spokesperson of WhatsApp.
There is no further information whether Whatsapp is working on fixing this problem.
Out of the two billion WhatsApp users worldwide, India has the staggering amount of over 400 million users alone. There are high chances that many of these accounts haven't linked their email address to their registered accounts leading to the risk of huge vulnerable potential victims of cybercrime.
Also watch- Man found dead on railway tracks in Biswanath