This WhatsApp Flaw Lets Attackers Permanently Deactivate User Accounts Remotely
Apr. 13, 2021Even though WhatsApp is one of themost popular messaging platforms, the app has recently put users at risk with several issues, including itsprivacy policy update. We recently sawa nasty scam circulating on WhatsAppthat enables a user’s contacts to hack them. Now, a more deadly vulnerability has come to light that uses WhatsApp’s verification system to allow hackers to deactivate a user account permanently.
Vulnerabilities in WhatsApp’s User-Verification System
Discovered by security researchers Luis Marquez Carpintero and Ernesto Canales Perena andbrought to lightbyForbes, this new hack can be lethal for WhatsApp users as it involves a pretty simple albeit tedious process. Moreover, anyone with your phone number can carry out the process remotely. What is more dangerous is thateven two-factor authentication (2FA) will not be able to save your accountfrom deactivation.
The new remote-account-deactivation hack uses security weaknesses in two of WhatsApp’s ID verification architecture. The first oneinvolves the log-in-via-OTP processof the platform and the second one is in the timer which the platform automatically sets after multiple failed login attempts.
In the process, an attacker who knows your phone number can start by putting your number on the login screen of WhatsApp. Now, do keep in mind, that while the attacker performs his initial actions, you will be only partially affected but will be able to use the platform as usual. However, you will receive multiple login codes via SMS as the attacker is now putting random codes in the login process to initiate the second phase of the process.
In the second phase, following multiple failed login attempts from your number, WhatsApp will put a 12-hour timer that will restrict the system to generate any new login codes for the specified period. Now, the attacker could use a fake email address to send an account deactivation request to support@whatsapp.com to deactivate your account. So, at this point, WhatsApp has seen multiple failed login attempts on your account and received an account deactivation request for the account linked to your phone number.
As a result, an hour or so later, you will be automatically kicked out of your account and receive an account deactivation email from WhatsApp. Now, the funny thing is that when you try to re-register your account, you will need toenter the OTP sent by WhatsApp. However, that is not possible now as there is a 12-hour timer that restricts the platform to generate new login codes for your account. And this timer is the same for you and the attacker who created this situation.Image: Forbes
So, you could try to re-register your account after the time expires. However, if the attacker pulls the same trick before you get to re-register, the process can go in a loop.
Now, in comes the second weakness in WhatsApp’s core architecture. The automated security system, after a certain number of the looping process, simply breaks. Hence, if the attacker pushes your account to this stage by repeatedly following the failed login process, at one point, instead of the 12-hour timer for generating new codes the system will show a -1 second timer for the same. This means that theautomated verification system has reached its limitand broke down.Image: Forbes
So now, you will not be able to generate new login codes for your phone number for like eternity, thanks to the broken system. As a result, your account will remain deactivated for the next 30 days, following which WhatsApp will automatically delete your account from its database permanently.
This is indeed a tedious process but is pretty simple. Anyone with a smartphone can take advantage of these automated security vulnerabilities in WhatsApp to deactivate user accounts remotely.
The security researchers, following the discovery of the said vulnerabilities, said that the issue is easily fixable withmulti-device supporton whichWhatsApp has been workingfor quite a long time now. With multi-device support, the platform can use the trusted-device system much like Apple to verify the devices that users use to access their accounts.
However, as of now, there is no workaround to this process. So, if you start receiving random login codes from WhatsApp in the coming days, you will know that someone is trying to deactivate your account. You can contact WhatsApp’s support team to inform them about the situation beforehand to keep your account safe. Also, spread the news amongst your friends and families to keep them informed about this dangerous WhatsApp hack.
Bringing the latest in technology, gaming, and entertainment is our superhero team of staff writers. They have a keen eye for latest stories, happenings, and even memes for tech enthusiasts.
