- Researchers have found a WhatsApp flaw that lets attackers suspend your account.
- They just have to email support after multiple two-factor authentication attempts using your phone number.
- There’s no indication WhatsApp has a fix in the works.
You’ll want to be on guard if you get an unexpected WhatsApp two-factor authentication attempt — someone might be trying to shut down your account. Forbes reports (via Android Police) that security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered a flaw letting attackers suspend your account if they have your phone number.
The perpetrator initially requests and incorrectly guesses multiple two-factor SMS codes to have WhatsApp lock out sign-ins on their device for 12 hours. After that, they register a new email address and email the support team asking to deactivate the number due to a lost or stolen account. As WhatsApp automatically disables the number without verifying the authenticity of the request, you could find yourself locked out with no input required on your part.
While you can theoretically get back to your WhatsApp account after that 12-hour window expires, the attackers can try to permanently lock you out by repeating the code requests two more times and waiting until that third period to email the company. If they do that, you’re asked to wait “-1 seconds” and have no choice but to ask WhatsApp for help recovering your account.
See also: WhatsApp vs Telegram vs Signal: Which app should you use?
WhatsApp didn’t discuss a potential solution to the account flaw in a statement to Forbes. Instead, it recommended that users provide an email address with two-factor authentication to help support reps if you ever run into this “unlikely problem.” Anyone attempting an attack like this would be violating terms of service, a company spokesperson added.
It’s true that you probably won’t see many attacks like this. Intruders are typically interested in hijacking accounts rather than disabling them, and you’ll know that something is wrong during that first string of SMS code requests. You should reach out to WhatsApp support immediately if you notice this activity.
There may be instances where someone wants to cause grief, though, and WhatsApp makes it easy to find a phone number’s owner by searching for it. More importantly, it raises questions about WhatsApp account security. The Facebook-owned service could theoretically stop this by relying on trusted devices rather than phone numbers, and it could manually verify deactivation requests to catch suspicious activity.
Until that changes, your best bet is simply to keep an eye on your text messages and act quickly.
