The latest bug discovered within the messaging app takes 36 hours, but defeats two-factor authentication: how it works and how to protect yourself.
There are all kinds of scams and phishing attempts on WhatsApp , but the latest flaw discovered is truly disturbing . According to the latest research published by Luis Márquez Carpintero and Ernesto Canales Pereña, two researchers specializing in cybersecurity, it would be enough to know your phone number to allow an attacker to throw you out of your account , asking WhatsApp to be suspended and deactivated without it you can do anything. And the worst part of this problem is that there is currently no solution for this type of risk. Fortunately, it is quite a complicated system and takes at least 36 hours of time to put it into practice, but for those who do not have to check their phone daily, this mechanism could turn into a nightmare.
In practice it works like this: the hacker tries to register your phone number on a new WhatsApp account, trying several times to enter the activation code – which obviously he does not have available since it will arrive via SMS on your phone. But it will make many attempts within a few seconds that you will not be able to intervene and after several failed attempts, the app will block access to the profile for 12 hours . In the meantime, the attacker will send a request for “lost or stolen phone” via email to WhatsApp toto the support team to ask them to deactivate the account. Since there is no email registered in your profile, WhatsApp has no way of being sure that it comes from the legitimate owner of the profile, so it understands why you made so many wrong login attempts and “certifies” the block. Then just repeat this process for another 2 times and your profile is blocked (semi) permanently when you get the message: “Retry access after -1 seconds”. At this point, all you have to do is contact WhatsApp assistance and explain the situation to them.
A situation made even more paradoxical by the fact that the activation of two-factor authentication is useless against this system. The only positive note is that it is an attack that cannot be used to actually gain access to an account, but simply to block access by its rightful owner: so confidential text messages and contacts do not are exhibited . WhatsApp is working to fix the problem and warns that using this vulnerability violates its terms of service. Not a great deterrent for those who can act anonymously and with a new email created specifically; the only solution for the moment is to insert your recovery email into your account so that you can immediately report to the application that you are the real owner of the account. “Providing an email address with two-step verification helps our customer service team assist people if they encounter this problem,” a WhatsApp spokesperson told Forbes.
How to set up the email? Just go to Account, then 2-Step Verification and, after entering your PIN, press “Change Email Address” to set this additional level of security. It’s not sure if this will guarantee a sufficient shield against the giant WhatsApp flaw without the need to write to customer service, but at least give a little bit of a hard time to anyone who is trying to kick you out of your profile.