WhatsApp users are warned about account suspension hack

The alarming security threat has been discovered, and this is a bad surprise for WhatsApp’s 2 million users. Remote attackers can use your phone number to deactivate WhatsApp and prevent you from logging back in. This can be stopped by even two-factor authentication. Here’s how it works.

This should not happen. This shouldn’t happen. It’s not possible with a platform that is used by 2 million people. This is not possible. I was skeptical when researchers Luis Marquez Carpintero e Ernesto Canales Perena warned that they could disable WhatsApp on my phone and block me from my account using only my phone number. They were correct.

Jake Moore from ESET warns that “this is yet another worrying hack” and “one that could potentially impact millions of users.” It is concerning how easily this could happen .”</span, as so many people use WhatsApp for their primary communication tool.

WhatsApp’s user base is large, but it is slowing down. Its architecture is falling behind its competitors, lacking key features like multi-device access or fully encrypted backups. These important improvements are still “in development” as the world’s most-loved messenger focuses its efforts on mandating new terms and conditions of service in order to allow Facebook’s latest money-making schemes.

Then there is the problem of account hijacking. We are constantly warned about scams that trick users into giving up their six-digit SMS code to activate a new WhatsApp installation. It can take time and be difficult to recover an account that has been stolen. There have been stories of accounts being hijacked and resulting in other accounts being blocked.

WhatsApp is fair enough to say that an account hijack involves a user error. Simply put, you should never send anyone a six-digit code to your phone. It is almost certain that this scam will result in one of your accounts being stolen. This issue seems to have affected WhatsApp more than other platforms. WhatsApp should require two-factor authentication (2FA), or create a trusted device architecture similar to Google and Apple.

Ironically, WhatsApp’s two factor authentication doesn’t prevent this attack. This is a serious problem for anyone who falls victim to this attack, even if they follow all security advice.

The security flaw in this newly disclosed vulnerability affects two distinct WhatsApp processes, each of which has a fundamental weakness. It’s the combination these two vulnerabilities that can disable your WhatsApp and prevent you from logging back in.

The platform will send an SMS code to verify your account when you install WhatsApp on your first phone. After you have entered the correct code, the app will ask you for your 2FA number. Once it is verified, you can go in.

Let’s begin with the first. Anybody can install WhatsApp on their phone. Simply enter your number at the verification screen. The six-digit code will be used to send you texts and phone calls. A notification will appear in your WhatsApp app, advising you to not share the code.

While you use your WhatsApp app as usual, an attacker could be using your WhatsApp number. They may request multiple codes or make incorrect guesses. The SMS codes and calls will be sent to you, but they are not yours. There is no way to access them. You ignore it all.

WhatsApp’s verification process restricts the number of codes that can go out. After several attempts, the attacker’s WhatsApp will tell him to “Resend SMS/Call Me in 12 Hours” and no more codes can be generated. WhatsApp blocks code entries after several attempts. It also tells the attacker that he has guessed too many times, so he will need to try again within 12 hours.

While WhatsApp is still working normally on your phone, the attacker has prevented any new codes being sent or entered into a verification screen. Everything now depends on the 12-hour clock, which is slowly counting down.

This shouldn’t be a problem. There is no problem unless you need to deactivate WhatsApp from your phone or reverify. So, here’s weakness number 2.

The attacker now registers a new, fresh email address, Gmail will do, and sends an email to support@whatsapp.com. The email says that the attacker has lost/thefted your account and requests that you deactivate it. Your number was included by the attacker. WhatsApp may send you an email asking for your number again. The attacker will comply.

To be clear. WhatsApp has received an email with your phone number. They don’t know if this is from you. You do not need to answer any questions in order to prove ownership. Your account will be deactivated now that an automated process has taken place without you being aware.

A few hours later, WhatsApp suddenly stops working on your smartphone. You see an alarming notification that says “Your phone number has been removed from WhatsApp on this device.” It could be that you have registered it on another device. You can verify your number to log in to your account if you haven’t done this. This deactivation appears to have been automated using keywords to trigger actions.

Even if your WhatsApp account has 2FA, this happens. This shouldn’t be an issue, but it should. All you have to do is request a code, and then reregister your account.

To send you a code, your deactivated WhatsApp will ask for your phone number. Enter your number and confirm it. But no text arrives. The app informs you that “You have tried to register [your phone number] recently.” Wait before you request an SMS or a call .”

Wait, what? You haven’t asked for anything. Your phone is now subject the same countdown as that of the attacker. For the remaining 12 hours, you cannot request a new code. This is all you don’t know, and that’s why you are completely confused.

You suddenly remember that you had received unanticipated WhatsApp codes an hour ago. The most recent SMS is retrieved and you enter the code in WhatsApp. This will not work. Your WhatsApp will tell you that “You have guess too many times.” You haven’t guess at all, it is obvious. Your phone is subject to the same restrictions as an attacker. You cannot request a new code and you can’t use the last code.

At this point, the countdown is likely to read between 10 and 11 hours. After the 12-hour expiry time, you can request a new SMS or verify your account with a new six-digit code. There’s a twist.

An attacker doesn’t need to send WhatsApp messages during the first 12-hour countdown. Instead, they can wait and then continue the process. Although you will get many more messages, there is nothing you can do with them.

WhatsApp will appear to crash after the attacker has done this. “You have guessed too many time,” the app will tell them. It then says, “try again after 1 second.” Instead of saying “12 hour,” it now says, “-1 second.”

Unfortunately, your phone is treated in the same manner as the attacker’s phone. If the attacker waits to email WhatsApp Support to deactivate you number, you will not be able to reregister WhatsApp on the phone after you have been kicked off the app. The researchers said that it was too late. Contact WhatsApp to seek help.

Even if your phone is deactivated by the attacker, they may force you to enter codes during the second 12-hour countdown. They see the exact same timer as yours.

This combination of the SMS/code limits, this verification architecture and the keyword-based automated actions triggered via incoming email is easily exploitable. This attack is not sophisticated. WhatsApp needs to address this issue immediately. It might be beneficial to ban someone from their preferred messenger for many reasons. This shouldn’t be so easy. This should not work if 2FA is enabled as was the case with this “victim” app.

This problem is not difficult and can be fixed easily. WhatsApp could use 2FA to ensure that any app installed on a registered device can prevent this problem. WhatsApp could also use trusted device concepts to allow one app to verify the other when multi-device access is possible. This system is much more secure and would eliminate this vulnerability.

Moore claims that this vulnerability has highlighted another serious WhatsApp problem. Moore warns that there is no way to opt out of being found on WhatsApp. To locate an account associated with it, anyone can enter a phone number. A move toward privacy would be ideal to protect users and force people to use a 2-step verification PIN.

Ironically, this problem is caused by secure messaging being tied only to a phone number and operating “over-the top” without any back-end links to a device’s OS or number. The logic suggests that the app could verify the number of the phone. WhatsApp has admitted to collecting information about the device in its privacy policy.

A WhatsApp spokesperson said that providing an email address along with two-step verification will help our customer service team assist customers should they encounter this unlikely problem. We are urging anyone in need of assistance to contact our support team, as we will investigate the circumstances.

They mean that you could be charged with violating their terms of service if you carry out the attack. This doesn’t help anyone, but it should be a warning to not experiment with this vulnerability.

WhatsApp did not confirm its plans to address this vulnerability, despite it being easily and anonymously exploitable. They tried to minimize the risk, but that is not the best solution. This is not only a nuisance, but there are also material benefits to taking someone “off communications.” To spoof a new installation, an attacker doesn’t need a phone number. A device connected to Wifi is sufficient.

Facebook has adopted a sloppy approach to security, minimizing the severity of the risks. In 2019, I wrote about a vulnerability that allowed private phone numbers to be pulled at large scale from Facebook databases using automated bots. Facebook acknowledged the hack but dismissed it as an “unlikely” problem. However, 533 million people might disagree.

What should you do? To prevent account hijacking, you need to enable 2FA. It’s also worth adding an email address in case this happens. You should be on the lookout for any warnings about someone asking you for verification codes. If this persists, contact WhatsApp Support immediately.

You could also follow Mark Zuckerberg’s lead and use Signal. This privacy-first messenger, which is part-funded by Brian Acton, WhatsApp’s co-founder, is the best alternative to WhatsApp.

I am hopeful that WhatsApp will change its stance on this vulnerability and fix it. If that happens, I will update this story.

Update, April 13th:

Tsachi Ganot (CEO of Pandora Security in Israel) contacted me after the article was published to inform me that this vulnerability had been reported to Facebook and WhatsApp several times before.

Ganot’s group exploited the security flaw in a different manner. They reported a user’s mobile phone as lost and then blocked the verification process. Ganot’s findings were published by Israel in December. They believe the vulnerability has been exploited to disable user accounts.

The victim would need to be offline for 12 hours to prevent the attack from happening. The core problem is the same.

Ganot said this week that they had researched the issue in December after a few clients reported being disconnected from their accounts. We realized how easy and severe this attack was, and we reached out Facebook to report it. They completely ignored us, so we wrote about the issue. It is not surprising .”</em to see that nothing has been done.

We now know that this attack can be used even if the victim does not have their phone. They can also see any incoming verification messages and thus bypass the 12-hour clock. Also, pushing the phone into three cycles can cause the 12-hour countdown to be halted and the phone to become completely unusable.

It appears that Facebook knew about this vulnerability before I reported it to them on 25/03/ This vulnerability is still present and no fix has been confirmed is a concern. It would be nice if all the media attention this week would encourage Facebook/WhatsApp and other social media platforms to address this issue.

HEY! Could we ask you for a favor? Would you share this article with your friends? It costs you nothing and it takes just a second, but means the world to us. Thanks a lot!