#BugAlert: Here's how anyone can suspend your WhatsApp account
If you have been receiving multiple two-factor authentication (2FA) requests for your WhatsApp account, it is likely that someone is attempting to shut your account down. The flaw was first discovered by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, Forbes reported. All the cybercriminals need is your phone number and a little over 12 hours to deactivate your WhatsApp account. Here's how.
- Cybercriminal would just need to wrongly guess 2FA codes
- One false email to support and victims are locked out
- WhatsApp doesn't verify who sent the account deactivation request email
- After the third consecutive attack, victim cannot recover WhatsApp account
- Victims can't do much when cybercriminals exploit this vulnerability
- Cybercriminals could financially benefit from deactivating someone's WhatsApp account
Cybercriminal would just need to wrongly guess 2FA codes
First, using their own device, the perpetrator would attempt to log in to the victim's WhatsApp account. Thanks to two-factor authentication, WhatsApp would send the victim a six-digit code via call/SMS. Since the perpetrator doesn't have access to the victim's phone (which anyway isn't their aim), they would incorrectly guess the code multiple times until WhatsApp requests the perpetrator to try after 12 hours.
One false email to support and victims are locked out
Before the 12-hour timeout, the perpetrator would use a burner email ID to request support@whatsapp.com to deactivate the victim's account. WhatsApp might send an automated reply asking for the victim's phone number again, which the perpetrator would happily provide. And now, WhatsApp would automatically temporarily deactivate the victim's account without any input actually coming from the victim.
WhatsApp doesn't verify who sent the account deactivation request email
There are two big flaws in WhatsApp's security system. It doesn't verify if the email requesting deactivation comes from the owner of the said account! This means that anyone who knows your phone number can deactivate your WhatsApp account in around 12 hours. Let that sink in. Secondly, the messaging service doesn't follow up with questions to confirm your ownership of the phone number.
After the third consecutive attack, victim cannot recover WhatsApp account
The biggest issue is that even if the victim successfully re-registers and recovers their WhatsApp account, just one email from the cybercriminal could get them back to square one. Additionally, after the third attack cycle, the victim's phone would count down "-1 seconds" instead of 12 hours. With the countdown broken, the victim is locked out of their account unless contacting WhatsApp helps.
Victims can't do much when cybercriminals exploit this vulnerability
What can you (the victim) do if you get a bunch of WhatsApp 2FA codes you didn't ask for, or if WhatsApp doesn't respond after you are locked out of your own account? Well, nothing. Worryingly, this unsophisticated attack doesn't require any coding skills or effort on the attacker's part. Additionally, Forbes reported that there's no way to opt-out of being discovered on WhatsApp.
Cybercriminals could financially benefit from deactivating someone's WhatsApp account
WhatsApp hasn't yet acknowledged or addressed this vulnerability. It seemingly remains focused on generating revenue. Considering how Facebook's latest breach and a separate database on Telegram leaked millions of phone numbers online, WhatsApp's vulnerability can be exploited at scale. Forbes rightly observed that besides the inconvenience caused, there could be monetary benefits of taking a person or a business off WhatsApp.
