It has been reported that a new vulnerability has been discovered in the famous instant messaging app, WhatsApp, the vulnerability is letting cybercriminals remotely suspend users’ accounts using their phone numbers. A recently published report by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, informs that the new vulnerability seems to have existed on WhatsApp for a long time.
Furthermore, it enables attackers to block users from activating their account again, even if the user has incorporated the two-factor authentication. Once a user is locked out of the account, there is no simple or quick way to reacquire access to the said account. “This is yet another worrying hack,” warns ESET’s Jake Moore. This could impact millions of users who could potentially be targeted with this attack. With so many people depending on WhatsApp as their primary communication tool for social and work purposes, he further added.
The attack itself is quite straightforward. An attacker downloads the WhatsApp app on a device and enters a user’s phone number and taps the Verify button. Now the cybercriminals don’t actually have the victim’s SIM card, so the user will start receiving the verification codes instead of them. But since the attackers don’t actually want to gain access to the account, they don’t require the code. Instead, the attackers perform multiple failed attempts, retrying the login process until the user is unable to request more codes for half a day.
In addition to it, a WhatsApp spokesperson has stated, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate”. However, WhatsApp has not disclosed details as to whether the company is going to do something about these flaws that are exposed to abuse.
Image Source: Geo News