While the result is more annoying than dangerous, it seems that a recently exploited peculiarity of WhatsApp’s two-factor authentication system makes it relatively easy for an attacker to block their account for different amounts of time. And all a bad actor has to achieve, from this writing, is to know the phone number you have associated with your WhatsApp account. This is.
The attack itself is pretty easy to execute. How Android Police describes:
This newly discovered defect uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course the two-factor authentication system sends the login instructions to the phone. After several repeated and failed attempts, your login is blocked for 12 hours.
This is where the tricky part comes in: with your account blocked, the attacker sends a WhatsApp support message from your email address, claiming that your (your) phone has been lost or stolen and that the account associated with your number must be deactivated. WhatsApp “verifies” it with a reply email and suspends your account without any input. The attacker can repeat the process several times in a row to create a semi-permanent lock on your account.
The silver line here is that attacks can’t really get used to Forcing your account, simply to annoy you by making your account unusable for a period of time (potentially permanent, if the attacker is actually dedicated).
WhatsApp representatives explained Forbes that the easiest way to protect yourself from this type of attack is to make sure you have associated an email address with the two-step verification process so that the attacker cannot spoil your identity. You can do this right now by pulling up How are you, loading his Configuration, touching Two-step verificationand enter your email address (or check that you have already done so).
This will not block the attack itself, but will facilitate the help of the WhatsApp customer support team in case you find yourself in a “prevented from authenticating my account” feedback loop, which is what it will happen if an attacker contacts WhatsApp posing as you, claiming it Yours the account has been hacked and WhatsApp should disable it. (You will then “receive” codes to reverse the erroneous record, you just won’t be able to enter them due to the above trick, which will have temporarily banned you from entering too many incorrect 2FA codes.)
G / O Media may receive a commission
As Zak Doffman of Forbes writes:
This is not complex and should be easily fixed. WhatsApp could ensure that an app on a device with 2FA registered can avoid this problem by using 2FA as a circuit breaker. More simply, when multi-device access finally appears, WhatsApp could use the concept of trusted device to enable one verified app to verify another. This is a much better system and would stop this vulnerability.
I was expecting WhatsApp to be studying this issue and repairing the 2fA verification process (or account deactivation process) to make such drive attacks ineffective. In the meantime, you might consider using it a completely different WhatsApp numberif possible, to minimize the risk, it will be blocked.