WhatsApp has often advertised the robustness of their end-to-end encryption that keeps the content within chats safe from a third party to access it. But what happens if the user is not able to access the app itself to read these messages? A recent vulnerability has been discovered in WhatsApp security that could let a third person block a WhatsApp user’s access from their own account for a considerable amount of time. One of the biggest issue with this new vulnerability is that it doesn’t need the third person to be a trained hacker or even have a lot of experience with hacking.
This new flaw was discovered by security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, according to a report by Forbes. The researchers claim that any malicious actor who has access to your WhatsApp phone number can take advantage of this vulnerability and lock you out from your own account for extended periods of time. Gaining back access can also be a tricky affair for many.
The malicious party just needs a phone number they want to target and any smartphone that can run WhatsApp. Once they’ve downloaded the application, they will go through the verification process. They can use their target’s WhatsApp phone number to request verification OTP. While there is no way they can successfully guess the OTP, they will continue to enter wrong passwords and will eventually be locked out of further attempts. Until this point, the primary user or the target of the attack will still be able to access their WhatsApp account on their pre-existing smartphones. However, multiple requests for OTP can clearly signal that someone is trying to access their account.
In order to stop the primary user from accessing their account, the hacker will then send an email to WhatsApp asking for the deactivation of the victim’s account. The user will then not be able to access their account. Since the hacker entered the wrong OTP multiple times, the user will not be able to re-activate the account for an extended period of time. Even two-factor authentication will not be able to deflect such attacks. According to WhatsApp, for now, the only way to be sure that this vulnerability is not used against your account is to provide the instant messaging application with your email address along with six-digit two-factor authentication.