Facebook’s problems do not stop growing. This time it is a security hole found last weekend in the popular messaging service WhatsApp. Two Spanish students and researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, have detected a problem, which has also been present for years in the service, whereby any malicious actor could suspend the account of any user simply by knowing their phone number .
It is useless that the affected user may or may not have two-factor authentication, since the problem persists in both cases, so that right off the bat they might find it impossible to access their WhatsApp account.
At the moment the expected solution from WhatsApp does not arrive
This discovery has been initially published in the Forbes post. The procedure is that, once the malicious actor has tried to access the account of the affected person without any success, reaching the limit of allowed attempts, it blocks new attempts for twelve hours, being taken advantage of by the malicious actor to contact WhatsApp technical support with any email address, urging the deactivation of the account associated with the phone number (of the victim) due to theft or loss.
This is where WhatsApp technical support comes in, which verifies that a request has arrived from an active email address, regardless of whether or not a disposable email address service has been used, or verifies the relationship of the request email address to the phone number of the aforementioned account, temporarily suspending the account of the affected user.
The victim, when trying to enter his WhatsApp account, you will come across an alert message advising you that “Your phone number is no longer registered in WhatsApp on this phone”.
The worst, according to the discovery of Luis Márquez Carpintero and Ernesto Canales Pereña, is that the malicious actor You can also repeat the same operation, leading to the user’s account being affected almost permanently.
At the moment, WhatApp does not remedy the situation, despite the fact that it can be done anonymously from any mobile device by anyone, avoiding assuming its responsibilities as a service, despite the fact that this situation violates its terms and conditions, remaining in the hands of the support technically avoid the exploitation of this type of attack.