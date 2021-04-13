- Advertisement -

Today we bring a nasty new surprise to WhatsApp’s 2 billion users, with the discovery of an alarming security risk. Using just your phone number, a remote attacker can easily disable WhatsApp on your phone and then prevent you from logging back in. Even two-factor authentication can’t stop it. This is how the attack works. WhatsApp: two students discover a bug that has been active for years and has not been corrected Two students and researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned that they could hack WhatsApp, blocking an account using only the victim’s phone number. “Every month, we see warnings about various types of scams, in which users are tricked into giving the six-digit code that is sent by SMS to activate a new installation of WhatsApp. And once an account has been hijacked , restoring it can be time consuming and painful. We have even seen stories about hijacked accounts that have caused other accounts to be blocked. “, they comment. And unfortunately, not even WhatsApp’s two-factor authentication prevents the attack behind this latest warning. In detail: How do you get control of an account? When you install WhatsApp on your phone for the first time, or change your phone, the platform sends you a code by SMS to verify the account. Anyone can install WhatsApp on a phone and enter their number on the verification screen. You will then receive WhatsApp texts and calls with the six-digit code. You will also see a notification from the WhatsApp application, indicating that a code has been requested, warning you not to share it. An attacker may be doing this with your WhatsApp phone number while the person continues to use your app normally. They ask for repeating codes and intentionally and incorrectly enter random numbers in the app. The affected person will receive the codes by SMS, perhaps also the calls. The problem is that the WhatsApp verification process limits the number of codes that can be sent. After a few tries, the attacker’s WhatsApp will say: “Re-send an SMS / call me in 12 hours”, and thus no new codes can be generated. WhatsApp also blocks code entries in the app after a number of attempts. None of this should be a problem for the user, unless you deactivate WhatsApp on your phone and have to check again, there is no problem. What happens is that the attacker will register a new email address, and send an email to [email protected] with the following message: “Account lost / stolen, the email says, please disable my number. The attacker includes your number. ” WhatsApp has received an email that refers to a phone number. They have no way of knowing if it is really from the person who sent the email but as a precaution, they decide, without the knowledge of the account owner, to deactivate it. In this way it stops working on the victim’s phone and you will see an alarming notification: “Your phone number is no longer registered in WhatsApp on this phone.” This is when, unfortunately, the victim’s phone is treated in the same way as the attacker’s, and therefore, if the attacker waits until now before sending an email to the WhatsApp helpdesk to deactivate the number, there will be no way for you to re-register WhatsApp on the phone when you get kicked out of the app. You will have to contact WhatsApp and try to find someone who can help you. WhatsApp does not solve the problem WhatsApp should address this problem immediately. However, the platform did not want to confirm that it plans to fix this vulnerability, even though it can be easily and anonymously exploited.