WhatsApp vulnerability revealed. A vulnerability that makes it easier for your account to be remotely deactivated. According to the information provided by cyber security researchers Luis Márquez Carpintero and Ernesto Canales, a person who wants to close your WhatsApp account only needs to know your phone number. Moreover, it is stated that even two-factor authentication protection of WhatsApp cannot prevent this.
Someone who knows your number can close your WhatsApp account
The functioning of the new attack method revealed by Forbes magazine is as follows:
As you know, there is no username and password in WhatsApp. When you want to install the application from the store and log in, you have to write your number in the requested place. Subsequently, a code is sent to your phone as an SMS and you enter it in the relevant section of the application and verify your account.
There are certain limitations imposed by WhatsApp on this verification process. For example, if a user enters the verification code incorrectly 4-5 times, he can no longer request a new one. He gets a warning saying he has to wait 60 minutes, 6 and 12 hours gradually. This is where the problem that jeopardizes the accounts of more than 1 billion monthly users begins.
A malicious person who knows your number has repeatedly asks for a code from WhatsApp on your behalf. Of course, those codes reach your phone, but naturally you ignore it because you do not know about it. You can’t do anything. In the meantime, the attacker continues to enter the security codes randomly, and WhatsApp does not accept it because it cannot write correctly. After a while, the platform’s firewall is activated. A warning appears that the attacker must wait 12 hours to request a new code.
Seeing this, the attacker still continues to push the boundaries. By contacting the WhatsApp support team via [email protected], he said, “Hello, my account number xxxx has been stolen. Please close my account. ” is sending a message. WhatsApp support team immediately deactivates the account of the relevant number without questioning this and verifying the authenticity of the sender.
So to summarize: The attacker, who asks for the security code on your behalf and enters it wrong many times, asks for help from the WhatsApp support team as if it wasn’t enough. It demands that the account of your number be closed. The interesting thing is that the support team accepts this “help” request without question.
What will those who encounter this problem do?
“Your number is no longer registered on this phone.” A warning message appears. When the victim tries to verify their phone again, WhatsApp does not allow it. He says he has to wait 12 hours due to repeatedly entering the wrong code for the same number. This period, which can be up to 24 hours, can sometimes become unlimited. In other words, the victim can no longer verify their account.
Forbes’ cybersecurity writer Zak Doffman shared a few details on what to do if faced with such a problem. Doffman said victims should seek help from the WhatsApp support team. Stating that even this is not a definitive solution, Doffman warned that users should pay attention.
In an e-mail to Zak Doffman, a WhatsApp spokesperson explained that the attack method in question was a “violation of the terms of service”. However, the spokesperson did not comment on the final solution of the attack.