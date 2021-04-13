If someone has your phone number, they can block your WhatsApp account in a matter of minutes. It is not a hoax, it is a most absurd security problem that someone who envies you, hates you or simply wants you to have a hard time can do.

If you are a frequent user of WhatsApp, you should be on the lookout for a disturbing security hole discovered this weekend. Its effects are dire: it is possible for an attacker to completely suspend your WhatsApp account, without any recourse to the individual user, and all he needs is your phone number. At the time of writing this article, there is no solution to this problem.

This newly discovered flaw is terrifyingly simple. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. Obviously you can’t verify it, because of course the two-factor authentication system sends the login messages to your real phone. After multiple repeated and unsuccessful attempts, your login is locked for 12 hours.

This is where the tricky part comes in: with your account locked out, the attacker sends a support message to WhatsApp from his email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspend your account immediately.

Another option is that the attacker can repeat the process several times in a row to create a semi-permanent lock on your account.

The WhatsApp attack

The attack has been discovered thanks to security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The results are disturbing, but at least this method cannot be used to actually access an account, but simply to block access from its rightful owner. Text messages and confidential contacts are not exposed at any time, yes.

WhatsApp, which is owned by Facebook, warns that the use of this vulnerability violates its terms of service. Which is not very dissuasive, as it can be done anonymously with any mobile device and a disposable email. As a member of Android Police opined, maybe “fix it when someone does this with Zuckerberg’s number, which was recently leaked in a Facebook account dump”. It appears that security issues, and an unsatisfactory answer to them, will continue to be a problem in Facebook’s growing corporate empire.

