WhatsApp is known to suffer constant vulnerabilities in its application, where there is not a year in which they do not suffer a high severity. After a disastrous 2019 and 2020 in terms of security flaws, now WhatsApp has just released its first big ruling of 2021, which allows anyone delete your account, and also that the company does not believe that it is necessary to patch.
The flaw has been discovered by two computer engineering students, Luis Marquez Carpenter Y Ernesto Canales Pereña. The young people tried to report the bug to WhatsApp up to a total of four times, but the application ignored all of them. Therefore, they decided to make it public.
When you install WhatsApp on a mobile for the first time, or change your mobile, the company sends you a verification SMS to access the account associated with your phone number. With this process, anyone can install WhatsApp on their mobile, put your phone number, and have you receive an SMS or a call with the six-digit code to access the app, along with a message that tells you not to. share. While the attacker tries to access, you will receive several SMS that you just have to ignore. We remember that it is very important to never give anyone that 6-digit code, which is a very common scam in recent years.
An email to WhatsApp can deactivate your account
To prevent an attacker from trying all possible numbers, the app blocks the verification process and tells you to wait 12 hours after several attempts. In this process, the attacker can register a new email, and send an email to [email protected], asking them to deactivate the account associated with the phone number that they have tried to hack using keywords that cause an automated system to activate.
WhatsApp may send an email automatically to confirm the number again. From there, an automatic process starts in which WhatsApp will proceed to deactivate your account without verifying at any time if it is the real owner of the telephone number or not. The attack cannot even be prevented using two-step verification, and if the account is not registered again, the account lost forever after 30 days.
Thus, about an hour later, WhatsApp stops working on your mobile and you see a notification that says “Your phone number is no longer registered with WhatsApp on this phone. This may be because you have registered it on another phone. If you have not done this, check your phone to access your account again ».
This, at first glance, is not worrisome, since you can proceed to configure your account associated with your number as when you install the app from scratch. However now no SMS arrives because the attacker has tried to register with your number and you have to wait about 11 hours. Entering the last code received is of no use either, since the app will tell you again that you have entered it too many times.
The countdown becomes infinite on the third try
In this way, the attacker now only has to wait about 11 hours to retry accessing with your mobile to generate new codes and extend the waiting time to 12 hours again. However, this is not even necessary, since after the third attempt, instead of 12 hours, a countdown what does he say left -1 seconds.
If the attacker sends the email to the company now to request the suspension of the WhatsApp account, then there is no way to recover it, since the countdown is blocked and there is no way to fix it. The only option is to contact the WhatsApp service and pray that they fix it. If you do nothing, your account will disappear.
This attack is very easy for anyone to carry out, and should be fixed as soon as possible by WhatsApp. If we add to this the Facebook data leak, now anyone can know your phone number and block your WhatsApp account. From WhatsApp they have limited themselves to saying that doing this goes against their terms and conditions of use. As if that mattered to hackers. In this way, if you want to prove the failure with a new virtual number for WhatsApp, you will be violating the conditions of the app.
An easy way to solve this failure is to implement a system similar to Telegram, which sends the verification codes through the app itself instead of by SMS. In turn, they should immediately eliminate the possibility of deactivating accounts by email without verifying identities. For users, it is best to use other apps such as Telegram or Signal. The latter is used by even Mark Zuckerberg, as has been learned in the Facebook leak where his own phone number has been leaked.