A singular and disturbing security flaw in WhatsApp allow anyone to block your account on this service. All you need is to know your mobile phone number.
The problem is not an internal flaw in WhatsApp’s code, but a worrisome bug in the way the service locks accounts. The attacker will not read your messages, but will leave you without access to the popular messaging application without you knowing what happened.
A problem that can cause a lot of headaches
The mechanism is simple. The attacker installs WhatsApp on a new mobile and enter your number to activate the service. They cannot verify it because that key reaches your mobile number.
As you have used your mobile number, enter several random verification keys that fail and that cause that after several attempts WhatsApp does not allow the attacker to enter new six-digit codes to validate that account for 12 hours.
For the victim, everything will continue to work for now, but this is where the interesting thing comes: when that account is blocked, the attacker sends an email (from a disposable address, for example a new Gmail account) to the WhatsApp support address . In that message it is enough to say that your mobile has been stolen or lost and that it needs the service to be deactivated.
The only thing WhatsApp does here is believe that the identity of the attacker is legitimate in an automated process that does not require additional actions: the service simply takes it for granted and the process ends with the objective accomplished: your WhatsApp account is simply suspended. The attacker can repeat the process several times to make it almost impossible for you to use WhatsApp normally in the end.
In fact, you don’t know it, but you have to wait until the end of the 12-hour period that the attacker had started when he failed in the verification code. From that moment you can reactivate the account, but you will have to be trying without knowing when those 12 hours actually end, and once the service is recovered we will again be exposed to the attacker repeating the operation over and over again.
The problem has been revealed as a proof of concept by two Spanish researchers, Luis Márquez Carpintero and Ernesto Canales Peña. Although it does not give access to our messages or contacts, any attacker with our mobile number can cause us a lot of inconvenience, especially if we are intensive users of WhatsApp.
Those responsible for WhatsApp and Facebook at the moment do not seem to be evaluating a possible solution – which does not seem particularly difficult. In comments to Forbes they downplayed the problem, which certainly exists and can cause quite a few headaches.
Via | Forbes