If you use the popular messaging app WhatsApp regularly, you should be careful about a security loophole in WhatsApp which was discovered this week. In this recent loophole, an attacker can block your WhatsApp account remotely just by using your phone number. However, WhatsApp has not provided any solution yet for this grave issue.

Security researchers at Forbes, Luis Marquez Carpintero and Ernesto Canales Perena first reported this flaw along with a proof-of-concept attack. They properly tested the method before exposing the potential threat. Currently, WhatsApp is working to resolve the loophole in its security. Experts have suggested WhatsApp users to provide an email address with their two-factor authentication credentials in order to avoid this attack happening to them.

How the Attack Happens

Primarily, the newly discovered flaw uses two separate vectors. The attacker installs WhatsApp on new devices with which you have not logged in before. They enter the phone number to activate the service which needs to be verified due to the two-factor authentication system. The verification attempt is failed since the login prompts are sent to the users’ phone instead of the attacker’s. But due to the multiple failed attempts in verification, the user’s login is blocked for 12 hours.

*Verification process on attacker’s phone*

*Verification alert and SMS on victim’s phone*

You may be thinking that the login block is just temporary and it’s not really a big deal. But this is where the tricky part begins. After your account gets blocked, the attacker can send a support message to WhatsApp from their email address claiming that the previous phone has been lost or stolen. Then, WhatsApp verifies this claim with a reply email after which your account is suspended. It is necessary to understand that all this process takes place without any input from your side. Likewise, the attacker can repeat the process numerous times to induce a permanent block in your account.

Wrong code entry leads to 12 hour wait (sequence shortened) — Wrong *code entry leads to 12 hour wait on Attacker’s Phone*

Email to WhatsApp Support from ″Attacker″ — *Email to WhatsApp Support from Attacker*

WhatsApp on Victim's Phone. — *WhatsApp on Victim’s phone*

Final Words

The final results are quite disturbing for the general users. However, there is no proof yet that attackers are using this method in the wild. In the same way, attackers cannot use this process to actually gain access to an account. Confidential text messages and contacts of legitimate users are also not exposed. To wrap up, if WhatsApp doesn’t fix this loophole soon, there could be grave consequences and it could further hamper the image of the company.

Also Read: Facebook Data Breach Reveals that Mark Zuckerberg uses Signal app