WhatsApp is the victim of a serious security breach. By exploiting this breach, an attacker is able to permanently block your email account. WhatsApp promptly warned Internet users who would like to use this trick to suspend an acquaintance’s account: sanctions will be put in place against them. Nevertheless, the courier believes that attacks of this ilk are rare.
By using your phone number, a remote attacker is able to block your WhatsApp account, report our colleagues from Forbes. Cyber security researchers Luis Marquez Carpintero and Ernesto Canales Pereña have indeed discovered a flaw in the functioning instant messaging.
To achieve his ends, an attacker can easily hijack two-factor authentication set up by WhatsApp. “This hack could impact millions of users, who could potentially be targeted by this attack. With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is alarming how easily this can happen ” says Jake Moore, IT security researcher at ESET.
On the same topic: WhatsApp hacking in progress, do not respond to this message
How can an attacker block a WhatsApp account?
The attack takes place in several stages. First, the attacker will use your phone number to try to configure WhatsApp on another smartphone. This number may have been retrieved from a leaked database. To verify your identity, the messaging app will transmit login codes to your phone number. You will then receive login codes that you have not claimed. If this is your case, we advise you to be wary. You are probably the target of a computer attack. “Anyone can install WhatsApp on a phone and enter your number on the verification screen” Forbes notes.
The attacker will repeatedly request WhatsApp connection codes using your phone number. In parallel, they will enter incorrect codes in the app. Finally, the messaging application will block the request for codes as a security measure. After a number of wrong attempts, WhatsApp indeed blocks the request for codes for a period of 12 hours.
The hacker therefore has a period of twelve hours to carry out the rest of his plan. In a second step, the pirate will create a fake email address in your name. It is extremely easy to create an email address with the name of another, especially on Gmail. With this dummy address he goes get in touch with WhatsApp customer support, firstname.lastname@example.org. In the email, he will explain that his smartphone has been lost or stolen and will request the suspension of your account. Customer service will interpret the multiple incorrect codes entered earlier as proof of their assertions.
Without any prior verification, WhatsApp will suspend your account. “Your phone number is no longer registered with WhatsApp on this phone. Maybe it’s because you saved it on another phone. If you haven’t, verify your phone number to reconnect to your account ” displays a warning message in the messaging application. To reconnect to your account, you will need to go through two-factor authentication. Unfortunately, sending codes is always disabled. To prevent you from recovering your account, the attacker can indefinitely block the sending of login codes by entering wrong combinations on another phone. De facto, the victim is deprived of his account!