Although the result is more annoying than dangerous, it seems relatively easy for an attacker to lock you out of your account for different periods of time due to a newly exploited quirk of WhatsApp’s two-factor authentication system. And all a bad actor needs to do at this point is know the phone number that you assigned to your WhatsApp account. That’s it.
The attack itself is pretty easy to carry out. How Android police describes:
This newly discovered bug uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. You can’t verify this as the two-factor authentication system will send the login prompts to your phone instead. After several repeated and unsuccessful attempts, your login will be blocked for 12 hours.
This is where the tricky part comes in: when your account is banned, the attacker will send a support message from their email address to WhatsApp, claiming that their phone has been lost or stolen and that the account associated with your number must be present deactivated. WhatsApp “checks” this with a reply email and locks your account without you having to enter anything. The attacker could repeat the process multiple times to create a semi-permanent lock on your account.
The silver lining here is that the attacks cannot be used to break into your account, they can only be used to annoy you by rendering your account unusable for a period of time (possibly permanently if the attacker is really engaged).
WhatsApp representatives said Forbes The easiest way to protect yourself against such attacks is to make sure that you have assigned an email address to your two-step verification process so that the attacker cannot forge your identity. You can do this now by dragging upwards Whatsapp, Loading his the settings, tap Two-step confirmationand enter your email address (or check if you have already done so).
This won’t block the attack per se, but it will be a lot easier for the WhatsApp customer service team to help you out if you’re in a feedback loop preventing my account from being authenticated, which happens when an attacker hits WhatsApp as she pretends that your account has been hacked and WhatsApp should disable it. (You will then be given codes to undo the incorrect logout. Only you will not be able to enter them due to the previous trick that temporarily blocked you from entering too many incorrect 2FA codes.)
G / O Media can receive a commission
As Forbes’ Zak Doffman writes:
This is not complex and should be easy to fix. WhatsApp could ensure that an app on a device with 2FA registration could prevent this problem by using 2FA as a breaker. It’s even easier if WhatsApp uses multiple device access and uses the trusted device concept to allow one verified app to verify another. This is a much better system and would close this vulnerability.
I would expect WhatsApp to address this issue and fix the 2fA verification process (or account deactivation process) to make these types of drive-by-style attacks ineffective. In the meantime, you might want to consider using it a completely different WhatsApp numberIf possible, you will be locked out to minimize the risk.