Although the result is more annoying than dangerous, a newly exploited weirdness of the two-factor WhatsApp authentication system seems to make it relatively easy for an attacker to block your account for different periods of time. And all a bad actor has to do, from the moment of writing, is know the phone number you have associated with your WhatsApp account. This is.
The attack itself is quite easy to execute. As Android Police describes:
This newly discovered defect uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. I can’t verify it, because of course the two-factor authentication system sends connection messages to the phone instead. After several repeated and unsuccessful attempts, your login data is locked for 12 hours.
Here comes the difficult part: with your account blocked, the attacker sends a support message to WhatsApp from the email address, claiming that (your) phone has been lost or stolen and that the account associated with your number must be deactivated. WhatsApp “checks” this with a reply email and suspends your account without any entry. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.
The silver line here is that attacks can’t actually be ordinary penetrates into your account, only to upset you by making your account unusable for a period of time (potentially permanent, if the attacker is truly dedicated).
WhatsApp representatives said Forbes that the easiest way to protect yourself against this type of attack is to make sure that you have associated an email address with the two-step verification process so that the attacker cannot falsify your identity. You can do this right now by pulling up WhatsApp, loading it settings, by pressing Two-step verificationand entering your email address (or checking to make sure you’ve already done so).
This will not block the attack itself, but will make it much easier for the WhatsApp customer service team to help you if you are in a feedback loop “prevented from authenticating my account” – which will make it it happens if an attacker reaches WhatsApp that presents itself as you, claiming that your the account has been hacked and WhatsApp should disable it. (You will then “receive” codes to return to the wrong registration, only you will not be able to enter them due to the previous trick, which will temporarily prohibit you from entering too many incorrect 2FA codes.)
G / O Media may receive a commission
As Zak Doffman writes, Forbes:
This is not complex and should be solved easily. WhatsApp may ensure that an application on a device with 2FA registration can prevent this problem by using 2FA as a switch. Even simpler, when access finally appears on multiple devices, WhatsApp could use the concept of trusted device to allow one verified app to verify another. This is a much better system and would close this vulnerability.
I would expect WhatsApp to analyze this issue and fix the 2fA verification process (or account deactivation process) to make these types of drive-by-style attacks ineffective. In the meantime, you may want to consider using it a completely different WhatsApp number, if possible, to minimize the risk, you will be blocked.