A newly discovered flaw in the Facebook Inc.-owned messaging app Whatsapp can allow an attacker to suspend an account using only a user’s phone number.

The proof of concept, developed by researchers Luis Márquez Carpintero and Ernesto Canales Pereña and first reported April 10 by Forbes, involves a wannabe hacker installing WhatsApp on a new phone using a target’s phone number.

WhatsApp attempts to use two-factor authentication during logins to verify that the new device is linked to the actual account holder. Continuing to repeat an attempt to log in then causes the account to be suspended for 12 hours. With this having occurred, the attacker registers a new email address, then contacts WhatsApp support stating the phone has been stolen or lost and asks that the WhatsApp account associated with the number be shut down.

WhatsApp sends an email confirming that the account has been suspended without asking the attackers for any information confirming that they are the legitimate owner of the account.  The legitimate owner has lost the account and there’s not much that can be done about it.

WhatsApp hasn’t discussed a potential solution to the issue, telling Forbes only that it recommended users provide an email address with two-factor authentication to help support representatives if they ever run into this “unlikely problem.” The company spokesperson added that anyone attempting an attack like this would also be violating the WhatsApp term of service, not that hackers would care about that.

Instead of providing feeble excuses and references to terms of service, WhatsApp, a messaging service with more than 2 billion users, should be doing more to deal with this glaring security issue. It’s one thing that an attacker can try to log in as someone else, since that could be a possibility on any number of different services. But the fact that the deactivation service is automated and does not check to see if the person contacting it is a legitimate user is clearly a serious issue.

Photo: Christoph Scholz/Flickr