Though the result is more annoying than dangerous, a newly exploited quirk of WhatsApp’s two-factor authentication system does appear to make it relatively easy for an attacker to lock you out of your account for varying amounts of time. And all a bad actor needs to pull it off, as of this writing, is to know the phone number you’ve associated with your WhatsApp account. That’s it.
The attack itself is pretty easy to execute. As Android Police describes:
This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course,
the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
Here’s where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.
The silver lining here is that the attacks can’t actually be used to break into your account, merely to piss you off by rendering your account unusable for a period of time (potentially permanently, if the attacker is truly dedicated).
WhatsApp representatives told Forbes that the easiest way to protect yourself against this kind of an attack is to make sure you’ve associated an email address with your two-step verification process so the attacker won’t be able to spoof your identity. You can do that right now by pulling up WhatsApp, loading its Settings, tapping on Two-Step Verification, and inputting your email address (or checking to make sure you’ve already done so).
This isn’t going to block the attack per se, but it’ll make it a lot easier for WhatsApp’s customer service team to help you out should you find yourself in a “prevented from authenticating my account” feedback loop—which is what will happen if an attacker reaches out to WhatsApp posing as you, claiming that your account has been hacked and that WhatsApp should deactivate it. (You’ll then “receive” codes to revert the mistaken de-registration, only you won’t be able to input them because of the previous trick, which will have temporarily banned you for entering too many incorrect 2FA codes.)
As Forbes’ Zak Doffman writes:
This isn’t complex and should be easily fixed. WhatsApp could ensure that an app on a device with 2FA registered can prevent this issue, using 2FA as a circuit breaker. Even more simply, when multi-device access eventually appears, WhatsApp could use the trusted device concept to enable one verified app to verify another. This is a much better system and would shut down this vulnerability.
I would expect that WhatsApp is looking into this issue and will be patching up the 2fA-verification process (or account-disabling process) to render these types of drive-by-style attacks ineffective. In the meantime, perhaps consider using a different WhatsApp number entirely, if possible, to minimize the risk you’ll be locked out.
Opera is an excellent browser choice for data privacy advocates, and the latest Android and desktop versions of the browser introduce two new cross-de
We all have opinions and beliefs that others may find strange, but sometimes these ideas balloon into dangerous movements like QAnon.QAnon began in 20
Since we can only have Halloween parties in Animal Crossing nowadays, I would’ve written off my favorite month were it not for one big milestone dropp
Amazon is changing its packaging to use less material, but it’s also adding quirky QR codes to its new boxes that let you scan and play with 3D models
After several months in beta, Twitter’s “Fleets” feature is now rolling out to all iOS and Android users. Despite Twitter marketing Fleets as “disappe
Many people require the aid of specialized speech devices to communicate with their family, friends, and caregivers. Some of these machines are operat
Instagram is adding two new anti-harassment tools aimed at cutting down abusive messages you might receive on the platform. Here’s a quick look at how
Starting with iOS 15 and iPadOS 15, Apple is going to apply a new child-protection policy when it comes to scanning photos that you upload to iCloud.
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
