- A new security flaw in WhatsApp can let cybercriminals suspend the account of any user using their phone number.
- The attackers apparently do not need any information about the user other than his phone number.
- However, the attacker can only get your account blocked but not gain access to it
Several phishing attacks on WhatsApp are a common sight but the latest vulnerability which has spotted seems to be the most dangerous amongst all. As per reports, the new security flaw in WhatsApp can let cybercriminals suspend the account of any user using their phone number. The attackers apparently do not need any information about the user other than his phone number. At the time the report was pushed out, there was no solution for the issue. However, the attacker can only get your account blocked but not gain access to it.
Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña were the first ones to discover the dangerous flaw, and it was first reported by Forbes. While this sounds like an impossible thing to do, the researchers have found that the attackers first download WhatsApp on their phones and try to log in using the victim's mobile number. When that is being done, WhatsApp's two-factor authentication system immediately sends a code to the victim's phone number. This prohibits the attacker to gain access to the account, but he keeps repeating the process. Due to several failed login attempts, WhatsApp disables login for 12 hours. This stops both the victim and attacker to log in to their WhatsApp account for 12 hours.
The next thing that the attackers do is email WhatsApp, asking them to deactivate or suspend the phone number of the victim. The attacker does not mention that it has logged the user out of the account but claims that the victim's phone has been lost or stolen. WhatsApp without cross-checking or asking for any inputs from the victim deactivates the WhatsApp account. If the process is repeated, WhatsApp can lock the account permanently.
"There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN," ESET's Jake Moore told the Forbes. He had also warned that millions of users could be targeted using this attack if WhatsApp does not plan to up its security game or roll out a more stringent method.
Reacting to the latest security flaws, a WhatsApp spokesperson told Forbes "providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service, and we encourage anyone who needs help to email our support team, so we can investigate."