Vulnerabilities in WhatsApp’s User-Verification System

Discovered by security researchers Luis Marquez Carpintero and Ernesto Canales Perena and brought to light by Forbes, this new hack can be lethal for WhatsApp users as it involves a pretty simple albeit tedious process. Moreover, anyone with your phone number can carry out the process remotely. What is more dangerous is that even two-factor authentication (2FA) will not be able to save your account from deactivation.

How Does it Work?

The new remote-account-deactivation hack uses security weaknesses in two of WhatsApp’s ID verification architecture. The first one involves the log-in-via-OTP process of the platform and the second one is in the timer which the platform automatically sets after multiple failed login attempts. In the process, an attacker who knows your phone number can start by putting your number on the login screen of WhatsApp. Now, do keep in mind, that while the attacker performs his initial actions, you will be only partially affected but will be able to use the platform as usual. However, you will receive multiple login codes via SMS as the attacker is now putting random codes in the login process to initiate the second phase of the process. In the second phase, following multiple failed login attempts from your number, WhatsApp will put a 12-hour timer that will restrict the system to generate any new login codes for the specified period. Now, the attacker could use a fake email address to send an account deactivation request to support@whatsapp.com to deactivate your account. So, at this point, WhatsApp has seen multiple failed login attempts on your account and received an account deactivation request for the account linked to your phone number. As a result, an hour or so later, you will be automatically kicked out of your account and receive an account deactivation email from WhatsApp. Now, the funny thing is that when you try to re-register your account, you will need to enter the OTP sent by WhatsApp. However, that is not possible now as there is a 12-hour timer that restricts the platform to generate new login codes for your account. And this timer is the same for you and the attacker who created this situation. Image: Forbes So, you could try to re-register your account after the time expires. However, if the attacker pulls the same trick before you get to re-register, the process can go in a loop.

The System Breakdown

Now, in comes the second weakness in WhatsApp’s core architecture. The automated security system, after a certain number of the looping process, simply breaks. Hence, if the attacker pushes your account to this stage by repeatedly following the failed login process, at one point, instead of the 12-hour timer for generating new codes the system will show a -1 second timer for the same. This means that the automated verification system has reached its limit and broke down. Image: Forbes So now, you will not be able to generate new login codes for your phone number for like eternity, thanks to the broken system. As a result, your account will remain deactivated for the next 30 days, following which WhatsApp will automatically delete your account from its database permanently. This is indeed a tedious process but is pretty simple. Anyone with a smartphone can take advantage of these automated security vulnerabilities in WhatsApp to deactivate user accounts remotely.

Is It Fixable?

The security researchers, following the discovery of the said vulnerabilities, said that the issue is easily fixable with multi-device support on which WhatsApp has been working for quite a long time now. With multi-device support, the platform can use the trusted-device system much like Apple to verify the devices that users use to access their accounts. However, as of now, there is no workaround to this process. So, if you start receiving random login codes from WhatsApp in the coming days, you will know that someone is trying to deactivate your account. You can contact WhatsApp’s support team to inform them about the situation beforehand to keep your account safe. Also, spread the news amongst your friends and families to keep them informed about this dangerous WhatsApp hack.

This WhatsApp Flaw Lets Attackers Permanently Deactivate User Accounts - 59This WhatsApp Flaw Lets Attackers Permanently Deactivate User Accounts - 61This WhatsApp Flaw Lets Attackers Permanently Deactivate User Accounts - 18