WhatsApp is a platform that is used by billions of users around the world everyday, and for many (such as this writer), the app has practically superseded traditional messaging services as my go-to text communication channel. And a big part of the chat service’s success is down to end-to-end encryption—which basically means that any data transmitted between users is encrypted, and only the sender and recipient (the end to end) can decrypt the contents of messages and other media files such as documents.
There now appears to be a new loophole that allows attackers to use your phone number to lock you out of your own WhatsApp account. The main problem? All the attackers need is your phone number. As first reported by Forbes, researchers have now found that the bug (you could call it that, I suppose) was a “worrying hack” that could affect “millions of users”. The worrying part of all of this is how easy it is to actually set this in motion.
How does it work?
So, this new security flaw involves two main processes. Firstly, when you install WhatsApp on a new phone, you usually get an SMS verification code. Next, WhatsApp (tries to) verify you as the user who is setting up WhatsApp for the first time on a new device. If an attacker does this, they will not receive the verification code, preventing them from taking over the account. All good so far, right?
Well, no. As it turns out, attackers can repeatedly request for 2FA verification on your WhatsApp account—which won’t work, but it will eventually suspend your account for 12 hours. This means that through no fault of your own, you could lose access to WhatsApp for an extended period of time just because someone has made attempts to get into your account.
It gets worse. Next, attackers can then reportedly send an e-mail to WhatsApp themselves, reporting a lost/stolen smartphone and asking for the account to be locked for a longer period of time. The researchers also claim that WhatsApp then confirms this extended suspension in an email—without any sort of verification on the user (attacker) requesting this.
It must be noted that this loophole doesn’t actually give attackers access to your messages and private data, it only allows these parties to lock you out of your own account. But given the importance of the communication that happens over WhatsApp—and the sensitivity of certain private data shared—it’s certainly a worry. For now, be sure to enable 2FA to prevent attackers from actually taking over your account, and you’re best advised to include an email address for that very purpose.
And of course, never share verification codes with anyone.