New WhatsApp Vulnerability Can Get You Locked Out of Your Account Indefinitely
According to security researchers, there is a new vulnerability in WhatsApp that could result in more users leaving WhatsApp for good. Malicious attackers could easily use this vulnerability and lock you out of your WhatsApp account. That will be for an indefinite period, which is why it is more than just a minor inconvenience. However, things are worse than they sound.
According to researchers Luis Márquez Carpintero and Ernesto Canales Pereña have talked about how attackers do not even require any specific piece of software or training that they can use to exploit this issue. They only need to have access to your phone number, and once they do have that, they can lock you out of your WhatsApp account without really a lot of effort.
WhatsApp is Currently Facing One of the Worst Vulnerabilities There Could Be
So, how does it work? Well, WhatsApp requires two-factor authentication whenever you log in using a new device. For this, you are getting a six-digit code to your phone number for verification, and in case you enter the wrong code multiple times, your account gets suspended for 12 hours automatically.
Attackers can exploit this authentication by installing WhatsApp on a new device, entering your phone number, and repeatedly entering the wrong code. While this will prevent you from logging in on a new device for the next 12 hours, it will not affect your current WhatsApp install on the device you are actively using and will work as intended.
To prevent you from logging in on a new device, an attacker only needs to repeat this exploit thrice, and on the third time, the app suspension timer will break and show -1 seconds timer instead. Once that bug shows up, WhatsApp will not let you log in on a new device at all. As for your current device, WhatsApp will continue to work just fine. However, things are not over yet.
The final attack will break your current install as well, and you will be locked out of the account permanently. For this, the attacker will need to send WhatsApp in an email asking the service to deactivate your phone number. WhatsApp could send an automated response asking the attacker to confirm the number, and once the confirmation is done, WhatsApp will automatically delete your account without your knowledge.
Your current install will stop working right away, and you will see a notification that says, "Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.” After that, when you try to verify your number, you will see -1 seconds suspension timer, and you will not be able to log back in at all.
Since this attack requires absolutely no specialized equipment or technical know-how, this becomes all the more dangerous, and the company needs to address it right away before this gets out of hand.