Even though WhatsApp is one of the most popular messaging platforms, the app has recently put users at risk with several issues, including its privacy policy update. We recently saw a nasty scam circulating on WhatsApp that enables a user’s contacts to hack them. Now, a more deadly vulnerability has come to light that uses WhatsApp’s verification system to allow hackers to deactivate a user account permanently.
Discovered by security researchers Luis Marquez Carpintero and Ernesto Canales Perena and brought to light by Forbes, this new hack can be lethal for WhatsApp users as it involves a pretty simple albeit tedious process. Moreover, anyone with your phone number can carry out the process remotely. What is more dangerous is that even two-factor authentication (2FA) will not be able to save your account from deactivation.
The new remote-account-deactivation hack uses security weaknesses in two of WhatsApp’s ID verification architecture. The first one involves the log-in-via-OTP process of the platform and the second one is in the timer which the platform automatically sets after multiple failed login attempts.
As a result, an hour or so later, you will be automatically kicked out of your account and receive an account deactivation email from WhatsApp. Now, the funny thing is that when you try to re-register your account, you will need to enter the OTP sent by WhatsApp. However, that is not possible now as there is a 12-hour timer that restricts the platform to generate new login codes for your account. And this timer is the same for you and the attacker who created this situation. Image: Forbes
Now, in comes the second weakness in WhatsApp’s core architecture. The automated security system, after a certain number of the looping process, simply breaks. Hence, if the attacker pushes your account to this stage by repeatedly following the failed login process, at one point, instead of the 12-hour timer for generating new codes the system will show a -1 second timer for the same. This means that the automated verification system has reached its limit and broke down. Image: Forbes
Is It Fixable?
The security researchers, following the discovery of the said vulnerabilities, said that the issue is easily fixable with multi-device support on which WhatsApp has been working for quite a long time now. With multi-device support, the platform can use the trusted-device system much like Apple to verify the devices that users use to access their accounts.