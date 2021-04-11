All WhatsApp accounts are in danger due to a simple security flaw. So you can avoid it.

Researchers specialized in cybersecurity, Luis Márquez Carpintero and Ernesto Canales Pereña, have discovered a method that allows blocking access to any WhatsApp account, through a process that does not take much more than five minutes. It is all due to a vulnerability discovered on the platform, which could affect millions of people around the world.

As the researchers explain to Forbes, the attackers they would only need to know the phone number of their victims to carry out the attack. And considering that Facebook itself made the phone numbers of more than half a million people public, it shouldn’t be too difficult for these attackers to find their target numbers.

What is vulnerability?

The two-factor verification process that WhatsApp enables by default when creating an account in the service is one of the weakest elements of the application, since the human factor comes into play and attackers can take advantage of it to access the accounts of their victims.

The operation of this system is simple: when you download the WhatsApp app on a mobile, you are asked to enter the phone number and, later, a code received by SMS to verify the account. If the code is correct, the app will request the two-factor verification code to identify the user.

Nevertheless, anyone can enter someone else’s phone number when installing WhatsApp on a device. When an attacker aims to block his victim’s account, he enters the number of this, requesting the verification code that allows you to verify the account.

But since said account is started on the mobile of his victim, It will start to receive verification codes and notifications indicating that it is trying to sign in on another device. The most logical thing would be ignore such notifications, right?

The problem is that, when a certain number of codes has been requested in a short space of time, WhatsApp will block the attempt to access the account for 12 hours, preventing new login attempts. This, in principle, should not be a problem for the victim Unless you decide to log out of your account – for example, to switch mobile.

But it is at this moment that the attacker would carry out the last step in your goal of blocking your victim’s account. To do this, just send an email message to the WhatsApp support account, requesting the closure of the account, alleging that it could have been stolen. This message contains the victim’s phone number.

A short time later, a email automatically generated by WhatsApp is received by the attacker, indicating that WhatsApp account has been successfully suspended. And soon after, the victim sees how your WhatsApp account has been deleted from your mobile, and you can no longer use the messaging application.

When trying return to log, the victim sees how there is a restriction which prevents new verification codes from being received for up to 12 hours, due to the bombardment of login attempts made by the attacker a few minutes ago. And if you try to enter any of the codes that have been previously received by SMS, the hour meter will continue to increase.

Here, what appears to be a WhatsApp bug comes into play. And it is that when trying to log into the account when it has already been previously tried and the attempts have been blocked for 12 hours, WhatsApp can show the text “You have tried to log in too many times. Please try again in -1 seconds “. Now, disaster is practically inevitable and waiting for the application to allow retesting of new code is simply useless. It only remains to try to contact WhatsApp technical support in search of a solution.

Unfortunately, WhatsApp does not seem to have the intention of putting an effective solution to this problem. They allege that “the circumstances identified by the investigators would violate the terms of service,” but I doubt that this is going to be a problem for future attackers, since they do not even need to have a phone number or SIM card associated with the mobile with which the attack will be carried out: just have a Wi-Fi connection and a mobile with downloaded WhatsApp.

One of the ways to try to get rid of these types of attacks is to activate the two-step verification system in WhatsApp, and associate an email address. That could make things easier when trying to get your account back. Or if not, you can also do like Mark Zuckerberg and switch to a safer alternative, like SIgnal

