WhatsApp's discovery of a shocking security risk is a new unpleasant surprise for WhatsApp's two billion current users. Using just your phone number, a remote attacker can easily disable WhatsApp on your phone and then prevent you from logging in again. Not even two-factor authentication can prevent this. This is how the attack works.
This should not happen. This should be impossible. Not a platform used by 2 billion people. It's not that easy. as a researcherLuis Marquez CarpenteryErnesto Canales Perena, warning that they could kill WhatsApp on my phone, using only my phone number to prevent me from using my own account, I doubt it. But they are right.
"This is another worrying hack," warns ESET's Jake Moore, "and it could affect millions of users who could have been targeted in this attack. With so many people relying on WhatsApp as It’s appalling how easily this can happen with a primary communication tool.”
Despite having a huge user base, WhatsApp has struggled to grow. Its architecture lags behind its competitors, and it's missing key features like multi-device access and fully encrypted backups. While the world's most popular communication tool focuses onrequest new terms of serviceThese much-needed advances are still "in development" for Facebook's latest money-making scheme.
Then we have the scourge of account hijacking.. Month after month, we see warnings about various types of scams in which users are tricked into handing over six-digit SMS codes sent to activate new WhatsApp installations. Once an account has been hijacked, restoring it can be time-consuming and painful.We've even seen stories of accounts being hijacked causing other accounts to be blocked.。
but fromforbes consultant
To be fair to WhatsApp, account hijacking requires user error. In short, you should never send anyone the six-digit code sent to your phone. This is almost certainly a scam that will result in one of your accounts being hijacked. WhatsApp seems to be more susceptible to this issue than other apps, and you really should ask for it.two-factor authentication(2FA) or develop aTrusted Device Architecture, similar to Google and Apple.
Ironically, not even WhatsApp's two-factor authentication can stop the attacks behind the latest warning. This is a real problem for any user who breaks this, because even if you follow all your safety tips, nothing will help.
The recently disclosed security flaw involved two separate WhatsApp processes, both of which had fundamental weaknesses. The combination of these two weaknesses could disable your WhatsApp and prevent you from logging back in.
When you install WhatsApp on your phone for the first time or when you change phones, the platform will send you an SMS code to verify your account. Once you've entered the correct code, the app will ask for your 2FA number to make sure it's really you, and you'll be able to join.
Now, let's start with the first weakness. Anyone can install WhatsApp on their phone and typeyesVerify the number on the screen.youYou will then receive a WhatsApp text message and phone call with the six-digit code. You'll also see a notification from the WhatsApp app informing you that a verification code has been requested and warning you not to share it.
An attacker could do this to your WhatsApp phone number while you continue to use your app normally.themRequesting duplicate codes and entering wrong guessesyesapplication.youYou'll get text message codes and maybe a phone call, but you can't do anything with them, and there's nowhere to enter them. Then you ignore everything.
The problem is that the WhatsApp verification process limits the number of codes that can be sent. After a few tries, the attacker's WhatsApp says: "Forward SMS/Call me within 12 hours", so no new codes can be generated. WhatsApp also blocks codes from being entered into the app after multiple attempts, telling the attacker "You guessed too many times... try again in 12 hours."
So when WhatsApp is onyesThe phone continues to function normally, and the attacker has blocked the sending of new codes or entry in the verification screen. Now everything depends on the 12 hour timer that is counting down.
None of this is a problem for you. No problem unless you deactivate WhatsApp on your phone and need to authenticate again. So, until the second weakness.
The attacker now registers a new email address (Gmail will do this) and sends an email to firstname.lastname@example.org. Account lost/stolen, email said, please deactivate my number. The attacker included his phone number. WhatsApp could send an automated email reply asking for the number again, and the attacker would do the same.
So be very clear. WhatsApp has received an email with your phone number. They have no way of knowing if it's really from you. There are no follow-up questions to confirm that you have the number. But without your knowledge, an automated process has been activated and your account will now be deactivated.
After about an hour, WhatsApp suddenly stopped working.yesA shocking notification will be seen on the phone: "Your phone number is no longer registered with WhatsApp on this phone," it said. "This may be because you registered it on another phone. If you did not, please verify your phone number to log back into your account." This deactivation appears to be automatic and uses keywords to Trigger action.
This happens even if you have 2FA on your WhatsApp account. But this still shouldn't be a problem. You just need to request a code and re-register your account.
Your disabled WhatsApp will ask for your phone number in order to send you a verification code. You go in and confirm your number. But no text message received. "Have you tried registering [your number] recently," the app tells you. "Please wait a moment before requesting a text or call. "
wait,That? you haven't requestedanything. But your phone is now subject to the same countdown as the attacker's phone. You cannot request new codes during the remainder of the 12 hours. Of course, you don't know anything about any of this, you're completely confused.
But suddenly you remember that you received an unexpected WhatsApp code an hour or two ago. You retrieve the latest text message and enter the code in WhatsApp. But even that doesn't work. Your WhatsApp tells you, "You've guessed too many times". obviously,youI totally missed it. But your phone has the same limitations as the attacker's phone. You can't request a new code, you can't enter the last code, you're stuck.
The countdown may show between 10 and 11 hours at this point. If the attack stops here, you'll be able to request a new text message and verify your account with a new six-digit code after the 12-hour timer expires. But there is an unpleasant twist.
Instead of sending an email to WhatsApp during the first 12 hours of the countdown, the attacker could wait and then repeat the process. You'll get more text messages, but you still won't be able to do anything about them, despite your suspicions that something is wrong.
If the attackers did this, within the third 12-hour period, WhatsApp would crash. "You guessed too many times", your app will say, "Retry in -1 seconds". Now the attacker cannot request or enter a new code, there is no countdown, it says "-1 second" instead of "12 hours". It has stalled.
But unfortunately,yesThe phone is treated the same as the attacker's phone, so if the attacker waits untilNowWhen you get kicked out of the app, you won't be able to re-register WhatsApp on your phone until you email WhatsApp support to deactivate your number. "It's too late," the researchers told me. You have to contact WhatsApp and try to find someone who can help you.
Even if an attacker disables your phone during the first cycle, if you request and enter the code at the end of the first countdown, they can push it into the second 12-hour countdown. Remember, they see the same timer as you.
Clearly, this combination of verification architecture, SMS/code restrictions, and keyword-based automation triggered by incoming emails is vulnerable to abuse. The attack wasn't sophisticated: this was the real problem, and WhatsApp should fix it right away. There are a number of reasons why blocking someone from using your favorite communication tool can be beneficial to you. It shouldn't be that easy. this shouldNoThey work when 2FA is enabled, as is the case in this "victim" app.
It's not complicated and should be easy to fix. WhatsApp could use 2FA as a circuit breaker, ensuring apps on 2FA-enrolled devices can bypass this issue. Even simpler, WhatsApp could use the trusted device concept to allow one authenticated app to authenticate another when multi-device access does eventually emerge. Here's a better system that eliminates this vulnerability.
The flaw points to another serious problem with WhatsApp, Moore said. "There is no way to opt out of being discovered by WhatsApp," he warned. "Anyone can enter a phone number to look up the associated account (if it exists). Ideally, stronger privacy protections would help protect users from this and force people to implement 2-step verification PINs."
In response to this disclosure, a WhatsApp spokesperson told me, “Providing an email address with 2-step verification helps our customer service team assist people when they encounter this unlikely issue.” The What researchers have discovered violates our terms of service, and we encourage anyone who needs assistance to email our support team so we can investigate. "
What they're saying is that if you carry out this attack, you're in violation of their terms of service and will face consequences. This does not help any victim, but should serve as a warning against attempting this exploit.
WhatsApp did not confirm plans to fix the vulnerability, although it could be exploited easily and anonymously. His response was to downplay the risk, but the risk is very real. Aside from the hassle factor, there are material benefits to taking someone "off the grid". So, given the widespread use of WhatsApp, this is a security hole that needs to be fixed. Attackers don't even need a phone number to spoof new installations; devices connected via Wifi will work just fine.
More From Forbes Instagram Confirms Exposed User Accounts And Phone Numbers Have Security Issues - Exclusive
Unfortunately, it has become Facebook's internal style to downplay the seriousness of security risks. In 2019, Ito reportRegarding a vulnerability that allowed the mass extraction of private user phone numbers from Facebook's database using automated bots. Facebook acknowledged the hack but dismissed it as an "unlikely issue".About 533 million users may now disagree。
So what should I do? You should enable 2FA to avoid actual account hijacking, and it's worth providing an email address to help if this happens to you. In the meantime, please heed the warning that you are being asked for a verification code, and if this persists, you should contact WhatsApp Support immediately.
Of course, your other option is to follow in Mark Zuckerberg's footsteps and start using Signal. The privacy-first messaging tool, the most viable alternative to WhatsApp, is ironically partially funded by WhatsApp co-founder Brian Acton.
I hope WhatsApp changes its stance and fixes this bug; when that happens, I will update this story.
Update April 13:
After this article was published, Tsachi Ganot, CEO of Israeli security firm Pandora Security, contacted me to say that this is not the first time that major authentication flaws have been pointed out to Facebook and WhatsApp.
In December, Ganot's team exploited the security flaw in a different way, reporting a user's phone missing.forwardBlock the verification process. Gano's discovery waspublishedIn Israel at the time, they believed the vulnerability had been widely exploited to disconnect user accounts.
That means the attack would have to be carried out while the victim had no access to their phone, possibly at night, making the 12-hour countdown all the more critical as the victim would be able to enter the code. But the core problem is the same.
"We investigated this issue in December," Ganot told me this week, "after some customers reported their accounts were suddenly disconnected. When we realized how serious and easy this attack was, we contacted Facebook. , but it was completely ignored, so we wrote about it. It's unfortunate to learn that nothing has changed, but not surprising."
We now know that with a new twist, this attack can work even if the victim has a phone and can see the incoming verification message, making the 12-hour countdown irrelevant. We also now know that pressing the phone three times will stop the 12-hour countdown process and completely lock the phone.
Facebook also seems to be aware of this problem.forwardI notified them of the new investigation on March 25th. The fact that the bug still exists and no fix has been confirmed to be in the works is indeed concerning. One hopes that all the media coverage this week will encourage Facebook/WhatsApp to address this issue.