What you need to know
- Researchers have discovered a worrying vulnerability within WhatsApp.
- Users can be locked out of their accounts thanks to a massive flaw involving just a phone number.
- WhatsApp users are encouraged to enable two-step authentication on their accounts.
A pair of researchers have uncovered a flaw (via Forbes) that allows attackers to lock anyone out of their WhatsApp account with just their phone number. It works because upon installing the app, the app will ask for a phone number. The attacker can input any number, which will then receive a confirmation text. If your number is at the receiving end of this, you'll notice seemingly unprompted verification texts from WhatsApp that you can't do anything about. And after too many verification attempts, further attempts to log in will be blocked for 12 hours. That shouldn't affect you since you're already logged in, but the real problem comes next.
From there, the attacker can send an email to WhatsApp support asking to deactivate the number due to a lost or stolen phone. Since WhatsApp doesn't know whether or not the phone number truly belongs to the attacker, the support team can comply and deactivate the account, which will force you off the app for the remainder of the 12 hours. The problem is that even if you try to get back on, the attacker can just repeat the process until, eventually, you're completely locked out with no way to attempt to get back into the app.
One of the big problems with this flaw is that it apparently works even with two-factor authentication turned on and highlights one of the main problems with SMS-based 2FA. Forbes questioned WhatsApp about the vulnerability, but there has been no indication that the team would address it.
So what can you do to make sure this doesn't happen to you? Although this attack, unfortunately, works even with 2FA, it's still useful to have on, and we can walk you through how to enable two-factor authentication in WhatsApp on Android. This will require a pin to register your number with the app, but it also gives you the option to add an email which is highly encouraged. WhatsApp states that users should add their email address to their credentials, which should come in handy if someone ever finds themselves in this situation. That said, it's highly problematic that this flaw exists, especially as WhatsApp's new policy for user accounts approaches.