The messaging app WhatsApp contains a new security flaw that allows cybercriminals block the account of any user just by knowing their phone number associated, in a process that can be carried out in twelve hours.
This has been alerted by cybersecurity researchers Luis Márquez Carpintero and Ernesto Canales Pereña, who have explained that vulnerability affects even to users with activated two-factor authentication system that WhatsApp uses to incorporate an additional layer of security, as stated by Forbes.
The security failure of the ‘app’ is due to two independent processes in WhatsApp that, used by a cybercriminal, allow you to block an account and prevent the owner from accessing it again.
The first part of the vulnerability is that Anyone can enter the phone number of a WhatsApp user. In this case, the victim receives the six-digit verification code by SMS or by call, and also a notification advising of the request for the code, and reminding that it should not be shared with anyone under any circumstances.
The security flaw is that cybercriminals can carry out this process while the user continues to use their WhatsApp account in a normal way, just by knowing the victim’s phone number.
When repeatedly entering the wrong SMS password -which the user will ignore because he has not requested them or has the possibility to enter them-, cybercriminals can select the option that the application gives send a new code within twelve hours, which blocks the introduction of security codes in the meantime.
As a second part of the vulnerability, cybercriminals can send a email message to WhatsApp support, notifying of an alleged theft of the phone and asking for the account to be deactivated. In this process, you only need to confirm the phone number associated with the account.
Behind this, WhatsApp begins the process to deactivate the user’s account, and the victim receives a notification that their phone number is no longer associated with the account. When you try to reset and the phone number is entered, WhatsApp does not send new code by SMS and warns that it is necessary to wait twelve hours for having made too many requests before.
However, after twelve hours, instead of enabling a new code, WhatsApp warns that “-1 seconds” left to be able to generate a new SMS key. This error message is displayed to both the victim and the attacker.
In this way, the user’s account is permanently blocked, as the investigators explain, and the victim has already You can only reactivate it if you contact support directly of WhatsApp to review the case manually.