UPDATED 22:29 EST / APRIL 12 2021

SECURITY

WhatsApp flaw allows an attacker to suspend an account using a phone number

A newly discovered flaw in the Facebook Inc.-owned messaging app Whatsapp can allow an attacker to suspend an account using only a user’s phone number.

The proof of concept, developed by researchers Luis Márquez Carpintero and Ernesto Canales Pereña and first reported April 10 by Forbes, involves a wannabe hacker installing WhatsApp on a new phone using a target’s phone number.

WhatsApp attempts to use two-factor authentication during logins to verify that the new device is linked to the actual account holder. Continuing to repeat an attempt to log in then causes the account to be suspended for 12 hours. With this having occurred, the attacker registers a new email address, then contacts WhatsApp support stating the phone has been stolen or lost and asks that the WhatsApp account associated with the number be shut down.

WhatsApp sends an email confirming that the account has been suspended without asking the attackers for any information confirming that they are the legitimate owner of the account.  The legitimate owner has lost the account and there’s not much that can be done about it.

WhatsApp hasn’t discussed a potential solution to the issue, telling Forbes only that it recommended users provide an email address with two-factor authentication to help support representatives if they ever run into this “unlikely problem.” The company spokesperson added that anyone attempting an attack like this would also be violating the WhatsApp term of service, not that hackers would care about that.

Instead of providing feeble excuses and references to terms of service, WhatsApp, a messaging service with more than 2 billion users, should be doing more to deal with this glaring security issue. It’s one thing that an attacker can try to log in as someone else, since that could be a possibility on any number of different services. But the fact that the deactivation service is automated and does not check to see if the person contacting it is a legitimate user is clearly a serious issue.

Photo: Christoph Scholz/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU