Loophole appears to have been closed, but victims should take action
A serious vulnerability has been discovered in the security system of the popular instant messenger WhatsApp. And to use it, the attackers did not need any special skills or equipment.
The fact is that WhatsApp provides the ability to request a remote account lock. This is done to prevent misuse in case of theft or loss of the phone.
The WhatsApp support documentation clearly states that the user simply needs to send an email containing the phrase “Lost/Stolen: Deactivate my account” along with a phone number in full international format.
In an ideal world, this system would work well for a service with multiple user accounts. However, WhatsApp has billions of users, and our world is far from perfect.
Attackers can close a WhatsApp account with one simple email. What to do?
The problem was initially noticed by cybersecurity expert Jake Moore from ESET. Very emotionally, he wrote on his Twitter page:
So let me get this right, @WhatsApp, I can enter ANY number and will you deactivate that account?
He also rightly notes that we do not live in an ideal world. What’s more, WhatsApp’s system is fully automated and does not check whether the sender of the email is the actual owner of the account. So it’s easy to imagine how anyone who knows your phone number could create a backup email address and request that your account be deactivated behind your back.
In addition, attackers can use the system by randomly deactivating WhatsApp accounts and demanding a ransom from victims to restore access.
Luckily, the company seems to have spotted the error. Or perhaps they just received an obscene amount of deactivation requests. Currently, immediate account deactivation is disabled. If you are the victim of such an attack, the support documentation clearly states that you can restore deactivated accounts and all unread messages within 30 days. However, hurry up:
If you do not activate your account within 30 days, it will be permanently deleted.
