



If you’re not careful, things can be very annoying for WhatsApp users. A new vulnerability has been discovered that could allow a remote attacker to easily deactivate WhatsApp on a phone with just a phone number. The worry is that two-factor authentication cannot prevent this. Facebook-owned WhatsApp has more than 2 billion users worldwide and has donated or won several, making it the most popular and most used instant messaging app in the world. The mechanism of this attack requires some error by the user himself, but in the next step that needs to be designed to protect it, two-factor authentication also does nothing to prevent the attack. Security researchers Luis Mrquez Carpintero and Ernesto Canales Perea have demonstrated the vulnerability and were able to kill WhatsApp to Forbes on the user’s phone.

As stated in the report, this vulnerability has two parts. The first is to install WhatsApp on any device. For example, when you install WhatsApp on your mobile phone, you will receive an SMS code to verify your SIM card and number. The same can be done by a hacker using your phone number to install WhatsApp on their phone. At this stage, you will start receiving the 6-digit code via SMS. This indicates that someone requested the code to install WhatsApp on the phone. There’s nothing you can do, and WhatsApp on your phone will continue to work fine for the foreseeable future. These codes are part of the hacking process and therefore arrive repeatedly. At one stage, the WhatsApps validation process limits the amount of code that can be sent, limiting the ability to generate additional code for 12 hours. During this time, WhatsApp will continue to work perfectly fine. However, what you should not do at this stage is to deactivate WhatsApp on the phone and try to reinstall it. You cannot generate code. This vulnerability is expected to affect WhatsApp for Android and WhatsApp for iPhone.

Proceed to the next step. The hacker creates an email ID and sends an email to [email protected] stating that the phone with whatsApp installed has been stolen or lost and that WhatsApp with that number needs to be deactivated. I will. This will be your phone number. WhatsApp may re-verify your number in an email, but there is no way to identify if a hacker is sending these emails or is the real owner. After a while, the phone number WhatsApp will be disabled. The next time you open the app, this phone notification will tell you that your phone number is not registered on WhatsApp. This may be due to WhatsApp being installed on another phone. Be very vigilant at this stage.

The logical course of action is to reconfigure WhatsApp on your mobile phone. Enter the number and wait for the verification code. The report suggests that the code does not arrive in the SMS and tells the app to wait before requesting an SMS or call. This is because your phone is subject to the same 12-hour countdown, which limits your chances of reconfirmation. But suddenly I remember receiving an unexpected WhatsApp code an hour or two ago. Get the latest SMS and enter the code on WhatsApp. But that still doesn’t work. You guessed too many times, your WhatsApp tells you. Obviously, you’re not guessing at all. However, your phone has the same restrictions as an attacker. You can’t request a new code, you can’t enter the last code, you’re stuck, the report says.

After 12 hours, there are two passes and if you are lucky you can walk one. If the attack stops here, WhatsApp will be able to be registered on the mobile phone and life will be normal again. But if not, more problems await. If an attacker waits 12 hours and then emails WhatsApp again, they will not be able to configure WhatsApp on the phone, even if they receive a text message with a code. Researchers have shown that WhatsApp broke down, confused after the third 12-hour cycle, and instead of counting down, simply said it would retry after -1 second. The same treatment is given to your phone and the attacker’s phone. And here is the problem. If an attacker has been waiting before sending an email to WhatsApp to invalidate the number, there is no way to re-register WhatsApp over the phone when they are kicked out of the app. It’s too late, the researchers told Forbes.

The problem with the WhatsApp verification architecture is that SMS code and automated email support lack a second layer to check reliability and are very likely to be exploited. Researchers also point out that no advanced knowledge is required to implement this type of attack. There is no way to opt out of discoveries on WhatsApp. Anyone can enter a phone number and find the associated account if it exists. Ideally, the move towards privacy will not only help protect users from now on, but will also force people to implement a two-step verification PIN, ESET’s Jake Moore said. Told to. WhatsApp simply links to a phone number and there is no trusted device policy to link to the last installed and verified device ID or operating system.

Unfortunately, WhatsApps’ response to Forbes Zak Doffman is not very confident. They say that providing an email address with two-step verification helps the customer service team help people in the event of this unlikely problem. The situation identified by this researcher may violate our Terms of Service. If you need help, we recommend sending an email to the support team for investigation. In fact, if WhatsApp is hacked, the knowledge that the person responsible for this unsophisticated attack violates WhatsApp’s Terms of Service is a bit of comfort. The report also states that WhatsApp has not confirmed plans to fix this vulnerability.

