A unique and disturbing security flaw in WhatsApp allows anyone to block your account in this service as long as they know your phone number.
The problem is not an internal flaw in WhatsApp’s code, but a disturbing error in the way the service locks accounts. The attacker will not read your messages but will leave you without access to the popular messaging application without you knowing what happened.
A problem in WhatsApp that can cause a lot of headaches
The mechanism is simple. The attacker installs WhatsApp on a new mobile phone and enters your number to activate the service. They can’t verify it because that key reaches to your phone number.
As he has used your phone number, he enters several random verification keys that fail and after several attempts, the app does not allow the attacker to enter new six-digit codes to validate that account for 12 hours.
For the victim everything will continue to work for the time being, but here’s where the interesting part comes in: when that account is blocked, the attacker sends an email (from a disposable address, for example, a new Gmail account) to the WhatsApp support address. In that message, it is enough to tell them that your mobile phone has been stolen or lost and the service needs to be disabled.
The only thing WhatsApp does here is to believe that the attacker’s identity is legitimate in an automated process that requires no further action, the service simply takes it for granted and the process ends with the goal accomplished: your WhatsApp account is suspended without further action. The attacker can repeat the process several times to make it almost impossible for you to use the app normally.
This security flaw might cause your account to be blocked
You have to wait for the end of the 12-hour period that the attacker had initiated by failing the verification code. From that moment you can reactivate the account, but you will have to keep trying without knowing when those 12 hours are over.
Even though this security flaw does not give access to our messages or contacts, any attacker with our phone number can cause us a lot of inconveniences. WhatsApp and Facebook managers do not seem to be considering a possible solution at the moment.
