A new loophole in WhatsApp’s authentication system allows an attackerto lock you out of the app, or in other words, deactivate your account.This sounds scary if you use the app frequently,but it’s worth noting the process to pull this off is fairly complicated and takes about 36 hours to execute.
Earlier this week, security researchersLuis Márquez CarpinteroandErnesto Canales Pereñashared their discovery of this flaw through an article inForbes. Here’s how it works:
This whole rigmarole sounds cumbersome like way too much work for an attacker to go through, simply to lock you out of your account. No data or money is extracted this way.
But the worrying part is that there’s no mechanism — like receiving an OTP — in WhatsApp support that asks you to verify yourself as the owner of your account. Plus, this method is successful in locking you out even if you’ve set up two-factor authentication.
WhatsApp said in a statement that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
To do that, head toAccount > Two-step verification, and after entering the secure PIN, you could provide an email ID to recover it. This email ID will also help WhatsApp in verifying your request. But you might have to still email WhatsApp support if you’re locked out. Bummer.
Story byIvan Mehta
Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.“Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.”
Get the TNW newsletter
Get the most important tech news in your inbox each week.
