The messaging app WhatsApp It contains a security flaw that allows cybercriminals to block the account of any user just by knowing their associated phone number, in a process that can be carried out in twelve hours. This has been alerted by cybersecurity researchers Luis Márquez Carpintero and Ernesto Canales Pereña, who have explained that the vulnerability affects even users with two-factor authentication enabled that WhatsApp uses to incorporate an additional layer of security, as stated
The security failure of the ‘app’ is due to two independent processes in WhatsApp that, used by a cybercriminal, allow you to lock an account and prevent the owner from being able to access it again.
The first part of the vulnerability is that anyone can enter the phone number of a WhatsApp user. In that case, the victim receives the six-digit verification code by SMS or by call, and also a notification advising of the request of the code, and remembering that it should not be shared with anyone under any circumstances.
The problem is that cybercriminals can carry out this process while the user continues to use their WhatsApp account in a normal way, just by knowing the victim’s phone number. By repeatedly entering an erroneous SMS password -which the user will ignore because they have not requested them or have the ability to enter them-, cybercriminals can select the option given by the application to send a new code within twelve hours, lock the entry of security codes in the meantime.
As a second part of the vulnerability, cybercriminals can send an email message to WhatsApp support, warning of an alleged theft of the phone and requesting that the account be deactivated. In this process you only need to confirm the phone number associated with the account.
After this, WhatsApp begins the process to deactivate the user’s account, and the victim receives a notification to notify them that their phone number is no longer associated with the account. When you try to reset and enter the phone number, WhatsApp does not send a new code by SMS and warns that it is necessary to wait twelve hours because too many requests have been made before.
However, after twelve hours, instead of enabling a new code, WhatsApp warns that there are “-1 seconds” left to generate a new SMS key. This error message is displayed to both the victim and the attacker. In this waya, the user’s account is permanently blocked, according to the researchers, and the victim will only be able to reactivate it if they contact WhatsApp support directly to review the case manually.