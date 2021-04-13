It is not the first vulnerability of WhatsApp and probably not the last. A group of researchers has discovered that it would be possible lock an account with an unsophisticated, but highly effective method. According to Ernesto Canales Pereña and Luis Márquez Carpintero, two-step verification does not prevent this security threat.

According to Forbes, the ruling is related to the WhatsApp activation method on new phones. The attackers take advantage of this system to make the company believe that the victim’s terminal has been stolen and, in this way, they manage to leave her without the possibility of using the messaging service.

WhatsApp, owned by Facebook, has more than 2 billion active users, so a threat of this caliber has set off alarms. “With so many people relying on WhatsApp as their main communication tool for social and work purposes, the ease with which this can happen is alarming,” ESET’s Jake Moore warned the well-known Forbes magazine.

How can they block your WhatsApp account only with your number?

When you change your phone and install WhatsApp on your new terminal, after requesting your number, the application sends you an SMS to verify the identity of your account. If the code entered is correct, the service is enabled and you can start chatting with your contacts.

So far everything seems normal. But, to understand this vulnerability, we must understand that anyone can install WhatsApp on their phone and enter your number of phone. In case an attacker does this, you will receive text messages and / or calls with the activation code.

Credit: Forbes

Perhaps you continue to use the application normally, ignore these messages and breathe easy thinking that you have 2-step verification activated. Error! You could be without your WhatsApp account. How? The attacker can enter incorrect codes over and over again until the allowed limit is reached.

Once overcome, WhatsApp will only send codes again through messages or calls after 12 hours. In addition, the application blocks the entry of codes by detecting that too many incorrect attempts have been made and, also, it will re-enable it in 12 hours.

As long as you go about your life and ignore what is happening, the attacker is still active. And here comes the next step in the attack: via an email address, send a message to support@whatsapp.com. In the message impersonates you and, ensuring that your phone has been stolen, requests the deactivation of the WhatsApp account.

The attacker tricks the system to block your account

As in the message addressed to WhatsApp you have included your phone number, an automated system could reapply for the number to confirm the information. If this answer is correct, and since there is no way to confirm that you are not the owner of the phone, the account will be deactivated.

After about an hour you will receive a worrying message. «Your phone number is no longer registered in WhatsApp“, He says. He continues: “That could be because you have registered it on another phone. If you haven’t, verify your number to log back into your account.

Credit: Forbes

You may try to enter your number in the app to log in, but this will be to no avail. WhatsApp will not send you any code (remember the 12 hour lock) and will tell you: “You have recently tried to register.” The app, once at this point, will ask you to wait before requesting a new SMS or call.

After 12 hours, the attacker can repeat the operation before the owner. After repeating this process several times, the system crashes. The application will say “You guessed it several times” again, but will ask you to retry entering the code after waiting “-1 second”. That is, there is no way to enter codes anymore.

So far, WhatsApp has not ruled on the security flaw and has not said whether it will solve the problem. The truth is that they should take action on the matter, since it is a simple attack method that could leave accounts temporarily or, perhaps, permanently deactivated.

