Despite being one of the most widely used messaging apps, WhatsApp has put users at risk due to a number of vulnerabilities, including an amendment to its privacy policy. Recently, we observed a horrible WhatsApp fraud that allows a user’s contacts to hack them. Now, a deadlier flaw has been discovered that makes use of WhatsApp’s verification process to let hackers permanently cancel a user account.
Vulnerabilities in WhatsApp s User-Verification System
This new hack, which was uncovered by security experts Luis Marquez Carpintero and Ernesto Canales Perena and was made public by Forbes, has the potential to prove fatal for WhatsApp users because it just requires a short but laborious procedure. Furthermore, anyone who has your phone number can remotely complete the task. What’s more riskier is that even two-factor authentication (2FA) won’t be able to prevent the termination of your account.
How Does it Work?
The new remote-account-deactivation exploit makes use of flaws in WhatsApp’s ID verification architecture on two separate occasions. The first one includes the platform’s log-in through OTP method, and the second one is in the timer that the platform sets on its own following numerous failed login attempts.
An attacker who has your phone number might begin the process by entering it on WhatsApp’s login screen. Remember that while the attacker carries out his initial acts, you won’t be completely affected and can continue to utilise the platform as normal. However, because the attacker is now inserting random codes into the login procedure to start the second part of the operation, you will receive multiple login codes by SMS.
Following numerous failed login attempts from your number, WhatsApp will implement a 12-hour timer in the second phase, which will prevent the system from generating any new login codes for the duration of that time. Now, the attacker might delete your account by sending a request to support@whatsapp.com using a bogus email address. As a result, WhatsApp has noted numerous unsuccessful attempts to log in to your account and has received a request to deactivate the account associated with your phone number.
As a result, you will immediately lose access to your account an hour or so later and get an email from WhatsApp deactivating your account. The amusing part is that you will need to input the OTP issued by WhatsApp when you attempt to re-register your account. However, there is now a 12-hour timer that prevents the platform from generating fresh login codes for your account, therefore that is not possible. Additionally, the assailant who brought about this circumstance and you both share the same timer. Photo: Forbes
Therefore, once the period has passed, you could try to re-register your account. The procedure could, however, get looped if the attacker uses the same ruse before you can re-register.
The System Breakdown
The second flaw in WhatsApp’s core architecture is now apparent. The automatic security system just breaks after a certain amount of looping. So, if the attacker repeatedly attempts to get into your account and fails, the system will eventually display a -1 second timer in place of the 12-hour schedule for generating new codes. This indicates that the automated verification system had malfunctioned due to overload. Photo: Forbes
Due to the malfunctioning system, you will no longer be able to create new login codes for your phone number for the foreseeable future. Your account will therefore be inactive over the following 30 days, at which point WhatsApp will immediately remove it permanently from its database.
While tedious, this technique is actually quite easy. These automated security holes in WhatsApp allow anyone with a smartphone to remotely cancel user accounts.
Is It Fixable?
Following the discovery of the aforementioned vulnerabilities, security researchers claimed that the problem is simply fixable because to WhatsApp’s long-standing multi-device compatibility. With multi-device compatibility, the platform can validate the devices that customers use to access their accounts via a trusted-device system similar to Apple’s.
There is, however, currently no workaround for this procedure. As a result, if you begin to receive arbitrary login codes from WhatsApp in the upcoming days, you will be aware that your account is being attempted to be deactivated. To keep your account secure, you can get in touch with WhatsApp’s support team in advance and let them know about the circumstance. Additionally, tell your friends and family about this risky WhatsApp breach by spreading the word to them.
