The WhatsApp flaw that lets anyone lock you out of your account
WhatsApp includes a newly discovered flaw that determined hackers can use to shut down your account, blocking you from sending or receiving messages.
Anyone who knows your phone number can use the bug to attempt to lock you out of your account, deactivating it for good.
The flaw works by exploiting a problem in the system that WhatsApp uses to transfer an account from one smartphone to another.
If an attacker enters your phone number into their smartphone, it’ll trigger notifications on your phone that someone is trying to sign into your account.
Ignoring those notifications doesn’t prevent this bug, however. After a certain point, WhatsApp automatically blocks attempts to take over your account, freezing the attacker out.
Researchers Luis Márquez Carpintero and Ernesto Canales Pereña, who sent details of it to Forbes, which first reported the problem, then discovered a serious problem.
By emailing WhatsApp and requesting to deactivate the victim’s account, they were able to lock victims out of their WhatsApp accounts entirely.
Targets would at this point find themselves unable to get back into their accounts. Since reactivation codes are already blocked for the target at this point, the researchers were able to lock accounts down with no way to bring them back to life.
WhatsApp’s timer counting down to the victim being able to enter a code to verify their account and log back in becomes stuck on “-1 seconds” because the attackers have repeatedly sent codes as they attempted to log in.
This problem still exists even if people have set up two-factor authentication to log into their account, which requires extra credentials to sign in and is designed to stop hackers being able to break into WhatsApp accounts.
One way to prevent the flaw is by providing WhatsApp with your email address, however. You can enter it in the “Two-step verification” settings menu under “Account” in the WhatsApp settings page.
A WhatsApp spokesman said: “Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.
“The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate."
