There is a flaw in WhatsApp that allows attackers with zero hacking and programming skills to permanently block any user’s account.They only need to know their phone number, and nothing else, and it is impossible to protect against potential blocking. The WhatsApp developers have been slow to fix the problem.
New flaw in WhatsApp
Every WhatsApp user can lose their profile at any second with a minimal chance of recovery. As Forbes writes, it is simply impossible to protect against this, and an attacker will not even need to hack the gadget – he just needs to know the user’s phone number, after which he can initiate the blocking procedure without the possibility of re-authorization in the system.
Possibility to deprive any person to use WhatsApp – this is a consequence giant vulnerability discovered in the messenger information security specialists Luis Kartintero (Luis Carpintero) and Ernesto Perrin (Ernesto Canales Pereña). They notified the WhatsApp developers of their find, but they have not yet released a patch to fix the breach, leaving 2 billion users at risk of losing their account.
WhatsApp is the most popular messenger in the world. According to Statista.com, in terms of the number of monthly active users in January 2021, it was ahead of Facebook Messenger (1.3 billion) and Chinese WeChat (1.21 billion) with its more than 2 billion, along with QQ (617 million). Since February 2014, WhatsApp has been owned by Facebook.
How the vulnerability works
The vulnerability in WhatsApp allows a complete blocking of the victim’s account and is carried out in two very simple steps, at each of which the performer does not even need hacking or social engineering skills – he will not contact the owner of the profile at all.
At the first stage, the attacker simply needs to install WhatsApp on the smartphone and try to log in with the desired phone number. The messenger will send an SMS with a confirmation code to him, and here it is calculated that the owner of the number will ignore them. After several such attempts, the application on the attacker’s device will report too frequent authorization attempts and will allow the next one only after 12 hours. At the same time, WhatsApp on the victim’s device will continue to work as before.
At the second stage, the attacker registers a new email address and writes a letter to WhatsApp technical support, in which he says that his account has been lost or stolen. He asks to turn it off and indicates the victim’s number. WhatsApp can send an automated email asking you to rewrite the number, and the attacker will do so.
Further, WhatsApp, without making sure that the real owner of the account wrote to technical support, initiates the blocking procedure. After about an hour, the messenger will suddenly stop working on the victim’s device – she will see a message that her number is no longer registered in the system. “It could have happened because you registered it on another phone. If you have not done so, please confirm your phone number to log in to your account again, ”the notification will say.
All of this will work even if the user has activated two-factor authentication. An attempt to request a new code will fail – WhatsApp will only allow you to do this after 12 hours.
Bonus stage and complete blocking
If the attacker decides to stop at the second stage, then everything will end with just the inability of the user to connect to WhatsApp with his number for several hours. After a maximum of 12 hours, the user will be able to regain control over his account and continue working in the messenger exactly as long as someone does not want to repeat the “trick” with blocking.
But in fact, there is an additional, third stage, leading to a complete blocking of the account.
In fact, this stage can become the second – the attacker does not have to send a letter in support of WhatsApp, he can simply wait 12 hours, and then again make several attempts to register someone else’s number on his phone. After the third 12-hour blocking, WhatsApp will break, and instead of a timer counting down the time until the next authorization attempt, it will show “-1 second”, moreover, constantly. This is a malfunction of the messenger that cannot be bypassed.
This picture will be observed both on the hacker’s device and on the victim’s smartphone, and as a result, no one else will be able to log in to the messenger using this phone number. The only thing that remains is to try to contact WhatsApp technical support and look for solutions to the problem.
WhatsApp does not solve the problem
An article in Forbes shedding light on a new issue in WhatsApp was published on April 10, 2021.By April 13, 2021, the developers had not released an update that fixes it and did not set a timeline for its release.
WhatsApp intended to introduce this policy on February 8, 2021, but was forced to temporarily abandon this idea due to a barrage of criticism. The new date of its entry into force is May 15, 2021, and all those who are not going to agree with it will face a very serious punishment.
Other WhatsApp problems
WhatsApp is known not only for the fact that it is used by billions of people, but also for the fact that it does not always value its users. For example, in June 2020, it became known that some phone numbers associated with user profiles in WhatsApp had been in the public domain for a long time and even got into Google search results. In total, with the help of Google, it was possible to find up to the number of about 300 thousand messenger users, and this problem was of a global nature.
In November 2019, CNews reported that WhatsApp users were automatically permanently blocked for participating in harmless group chats. It turned out to be possible to fall under the sanctions for changing the name of the chat to something that would seem to the moderators of the service to be something sinister, illegal, or malicious.
At the same time, WhatsApp was in no hurry to fix this failure. To all inquiries from victims about the reasons for the blocking, the messenger employees answered that the users themselves violated the rules of the service, and the blame for the blocking lies solely with them. As a result, people had to either change their phone number to register a new profile or go to other services – Telegram, Viber, Signal, and others.