WhatsApp: they discover their worst bug in years and it is still active


WhatsApp: Imagine that you are a computer engineering student and, as part of your learning, you are doing research on applications. Imagine that you run into a serious failure, no, very serious in WhatsApp. A vulnerability problem so serious that anyone with your phone number can lock your account and steal it from you, without further ado. Imagine you immediately report that to Facebook to get it fixed. And imagine that Facebook, after 4 warnings, still does not notice or repair it.

The serious WhatsApp security flaw of 2021

This is, broadly speaking, what has happened to the two students Luis Márquez Carpintero and Ernesto Canales Pereña, who have tried up to 4 times to alert WhatsApp to repair their error, without it paying any attention to them. The next step has been the most logical in the face of such seriousness -because we remember that more than 1/4 of the world’s population use this application every month: make the public ruling to alert the press and thus see if WhatsApp did something this time.

And so it has been, with media such as the almighty Forbes or security websites such as ESET reporting the failure and verifying first-hand the seriousness of the problem. But what exactly happens with WhatsApp?

Steal your account using your phone number

Every week we see WhatsApp being used to distribute all kinds of hacking attempts by Phishing, downloading malware, etc., but we also see methods that are capable of hacking accounts, such as the one that makes use of SMS messages that are sent with a code 6 digits to validate the installation of WhatsApp on a new mobile.

The application has a 2-step verification system that is supposed to act as the ultimate security barrier to feel safe with your account. But according to the students Carpintero and Pereña, this is no longer the case: The vulnerability they have discovered acts in 2 phases, affecting two different processes of the app – one of them related to two-step authentication. And by carrying out both, the process ends with your account deactivated at the hands of the attacker, who can decide whether to steal it, delete it, etc.

How can you deactivate your account on WhatsApp
This is how the process works:

Enter – The verification SMS code
When you install WhatsApp for the first time on your phone, or change your phone, the platform will send you a code by SMS to verify the account. Once you enter the correct code, the app will ask you for your authentication number in 2 steps to make sure that it is really you, and then you are inside. This is the starting point of the process

Vulnerability 1: Block sending of new codes

Anyone can install WhatsApp on a mobile and enter your phone number on the verification screen. What happens is that suddenly, on your mobile you start receiving WhatsApp texts and calls with the six-digit code. A notification from the WhatsApp application also appears, in which you are told that a code has been requested, warning you not to share it.

An attacker can do this with your WhatsApp phone number while you continue to use the application normally. What the hacker is going to do is keep requesting repeated codes and put the wrong numbers in his app. You will receive the codes by SMS, maybe also the calls, but there is nothing you can do with them, there is nowhere to enter those codes. And so, you ignore everything, which is something the hacker looks for as well.

The problem is that the WhatsApp verification process limits the number of codes that can be sent. After a few attempts, the attacker’s WhatsApp will say: “Send an SMS again / call me in 12 hours”, and thus no new codes can be generated. WhatsApp also blocks code entries in the app after a number of attempts, telling the attacker “you’ve guessed too many times … try again in 12 hours.”

And so, while WhatsApp continues to function normally on your mobile, the attacker has blocked the sending of new codes or their introduction on the verification screen. Everything now depends on that 12-hour timer, which is counting down.

While the cybercriminal does all this, you do not notice and do not know that he has blocked for 12 hours the way you could recover your account if you had a problem. He has already set the stage, and now he is going for the second phase of the plan.

Vulnerability 2: WhatsApp stops working for you

The attacker now registers a new email address, and sends an email to [email protected], the official support of the app, with the text “Account lost / stolen, please deactivate my number”, including your phone number . WhatsApp itself can send an automatic reply email asking for the number again, something the attacker does.

The app system has no way of knowing whether or not it is you who has requested this, only that the number that appears is yours. There are no follow-up questions to confirm ownership of the number. But an automated process has been put in place, without your knowledge, and your account will be deactivated.

An hour later, suddenly WhatsApp stops working on your phone and you see an alarming notification:

“Your phone number is no longer registered in WhatsApp on this phone. This may be because you have registered it on another phone. If you didn’t, check your phone number to get back into your account. ”

This deactivation appears to be automated, using keywords to trigger actions. This happens even if you have 2-step verification turned on in your WhatsApp account. But still, this shouldn’t be a problem. You just have to request a code and re-register your account. You do it, enter and confirm your number. But no message arrives. “You have tried to register [your number] recently. Please wait before requesting an SMS or a call,” the app tells you.

What is this? The 12-hour waiting process that the hacker previously activated on his mobile using your phone number, blocking your option to request this code. At this point you look for and try to use the most recent SMS that came to you without asking for it, and you enter the code in WhatsApp. But even this doesn’t work. “You’ve guessed too many times,” your WhatsApp tells you, and your phone is still subject to the same restrictions as the attacker’s.