The green messaging app that simply can’t keep itself out of the news these days, WhatsApp, is plagued by a vulnerability that allows attackers access to your account. Not only will they gain access to the account, but they’ll have the ability to completely lock you out, essentially deactivating your account.
Luckily, however, it’s not easy to execute, according to the researchers who found the loophole. To carry out the elaborate WhatsApp account heist could take one around 36 hours — more than a good day’s work. Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña found the vulnerability and wrote about it in Forbes.
How WhatsApp’s cracked
The attacker gains access to the account by installing the app, attempting a login and sending through verification codes. The platform gets smart here and blocks sending codes for 12 hours, after which the attacker sets up a new email address and sends a lost/stolen phone request to Facebook. This deactivates the account.
Thing is, WhatsApp isn’t really concerned about whether the email address is linked to the number or not. So it just goes ahead and locks the account anyway. The attacker will continue redoing the whole process for three whole cycles, after which you’ll both see a “Try again after -1 seconds” message, while trying to login through your number.
The outcome? Your account is locked, and you’ll need to contact WhatsApp to retrieve it. What makes this method interesting, however, is that it’s only used to lock someone out of their accounts and no data or money is gained by the attacker.
WhatsApp can at least make the verification process easier. According to TNW, WhatsApp said in a statement that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”