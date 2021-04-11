Spanish researchers have managed to discover a major WhatsApp security flaw related to the verification of phone numbers.

WhatsApp in the most used instant messaging application in the world with around 2 billion active users who do not hesitate to trust this Facebook application to communicate with their loved ones or even to hold business meetings.

However, the application has a significant vulnerability that would allow any attacker to block the victim’s phone number with a simple procedure, even with two-step authentication enabled. The security flaw has been reported by Spanish researchers Luis Marquez Carpenter Y Ernesto Canales Pereña, from the University of Alicante, initially informing Forbes that it has reproduced the security breach.

This fault is related with the method that WhatsApp uses when verifying new phone records. And is that when you originally register your phone number in WhatsApp, an SMS code will be sent directly to you to verify the account. So far everything normal, but this event can be exploited fraudulently to permanently block the target account.

How this vulnerability works and how a cybercriminal would exploit it

To do this, an attacker would target your phone number, and basically try to register it on their device. In that case, by entering your phone number, you would be constantly receiving SMS with a six-digit code for verification. Now there is no risk since you would be directly ignoring these SMS and you would not lose the account.

The problem is that if the attacker continuously made this request for codes using your own phone number, the flaw would start to exploit. And it is that after a few attempts, the attacker’s WhatsApp will come to a point where he can no longer generate more SMS codes for verification thus blocking code entries in the application after several attempts.

Although the victim would continue to use WhatsApp without any problem, the attacker would have already achieved his first objective: to block any sending of new code to your own phone number.

Now that the attacker has managed to block your phone number from receiving new SMS, I would send an email with any account that has been created to support @ whatsapp.com.

Basically in the matter it would say that it is a question related to a lost or stolen account and in the body it would say that “please, deactivate that phone number” so that you can not continue using the application.

So WhatsApp would have received a fraudulent email from the attacker himself who would have masqueraded as you. WhatsApp engineers would verify that, indeed, that phone number that is claimed as stolen right now is blocked by numerous validation requests. Here WhatsApp has no way of knowing if this email is really real or not, but since they verify that the phone number is blocked from receiving SMS, they see that something is not right and they proceed with their deactivation of the account, your account.

This is when the victim’s WhatsApp stops working suddenly, and the first time the attacker has managed to block your account, and only knowing your phone number.

The victim will receive a notification telling them that their number has been deactivated, and to please verify their phone number to log back into their account. This happens even if you have two-step verification activated in your WhatsApp account.

This should not be a problem, because basically you would enter your phone number, receive an SMS and re-verify the account to use the application again. But of course, is that your phone number is already blocked from receiving SMS for 12 hours, with which you would have the account blocked right now for at least 12 hours without being able to verify it.

And this is where the whatsapp glitch. And it is that the attacker, after those 12 hours, could repeat the process so that the reception of the verification SMS is blocked again, and so on until the third 12 hour lockout cycle arrives. At this point, the reception of SMS on your phone number would be permanently blocked, and you would never be able to recover your account again.

In this way, the combination of this WhatsApp verification architecture with the limits of sending SMS and codes, and all the automated actions based on keywords such as “account theft” or “account deactivation”, play a bad thing. passed to WhatsApp and could be used by an attacker to directly block your phone number from the application.

So anyone could abuse your phone number to annoy you so that you can’t use the app permanently.

In response to these questions, a WhatsApp spokesperson told Forbes that “providing an email address with two-step verification helps our customer service team to help people in the event that they ever run into this unlikely problem. The circumstances identified by this investigator would violate our terms of service and we encourage anyone who needs help to email our support team so that we can investigate. “

Yes, this question would not specifically help the victim, but the attacker could face legal consequences from WhatsApp itself for trying to block target phone numbers in this way.

WhatsApp has not confirmed that it will fix this vulnerability related to its phone number verification architecture, but it is expected that they will move soon.