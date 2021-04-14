- Advertisement -

A security flaw in the WhatsApp authentication system allows any user -with the necessary knowledge- to access the instant messaging application and expel another from the app, deactivating their account.

Disconnecting is not easy and requires at least 36 hours, but it is possible

It is not an easy process, and to complete it it is necessary that at least 36 hours of attack have elapsed, but the possibility of it occurring, even remote, is real. This has been pointed out by two security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña who have shared in Forbes how the vulnerability works.

To do this, you need to know the phone number of the person you want to attack. The cybercriminal installs WhatsApp and tries to access your messaging application repeatedly. By not being able to point out the access codes that WhatsApp sends to the user’s mobile, it ends up blocking the account.

WhatsApp disables it for 12 hours upon receipt of multiple code requests. In the meantime, what the attacker does is create a new email address and sends an email to the WhatsApp contact address requesting that, after having lost their mobile or been stolen, their account be deactivated. Apparently, WhatsApp does not always check if that is the email address email that is associated with the account, so if successful, it blocks the user and expels him from the application.

However, even so, the user could access WhatsApp again after 12 hours, but the attacker must repeat this process at least two more times. When doing it for the third time, WhatsApp ends up blocking the account and the only way to access it again is by contacting WhatsApp support.

In reality, the account is not compromised, personal information is not accessed … but what is achieved is that the WhatsApp user does not have access to it until they contact WhatsApp and their account is restored.

This is not an easy process, but what is evident is the fact that WhatsApp may not confirm who is the owner of that mail that requests the blocking. As the company has recognized “this is a very rare problem” and has recommended using double authentication on the account to ensure that access is always carried out by the owner of the account.

Interestingly, WhatsApp has not confirmed that this remote possibility of error will be solved. In any case, if fraudulent access occurs, the user will have no choice but to contact WhatsApp support via email. The company is working on creating a support chat, but it has not yet been officially launched.

