WhatsApp Has a Serious Security Problem
WhatsApp has another problem. This time it's a security vulnerability that enables someone to easily block our access to our account.
- "New" security vulnerability in WhatsApp allows for blocking and deleting an account in a trivial way - just a phone number is enough;
- The problem is supposed to have been present for a long time and is partly due to the failure to check the senders of reports of lost devices with the app and a bug in the system for generating verification codes.
WhatsApp messenger developers have had reasons to complain in recent months. The new, controversial terms of service discouraged millions of users from the app, and reports of malware are unlikely to improve its image. As if that wasn't enough, people using WhatsApp have to face a new (let's call it that) vulnerability that allows for deleting a user's - and without any hacking knowledge.
The problem was first described in a Forbes article by Zak Doffman. Researchers Luis Márquez Carpintero and Ernesto Canales Perena proved that they are able to block his WhatsApp in a terrifyingly simple way. This is possible through two overlapping problems of the app. The first step is trying to log into the messenger from another device and entering the verification code incorrectly. After enough failed attempts, WhatsApp will block the sending of further combinations for 12 hours.
Until then, it is not a major problem for the user, leaving aside the rash of subsequent notifications and SMS (unless they log out of the app). However, now the "hacker" can send a message to WhatsApp support from a new email about the alleged loss of a device with the app installed and a request to deactivate the account. And this is where things start to get funny. An experiment by Luis Márquez Carpintero and Ernesto Canales Perena shows that the process of deleting a WhatsApp account is completely automatic, without any attempt to confirm the identity of the sender. Speaking of which, the inclusion of two-step login verification does not hinder any of these and subsequent steps at all.
Of course, we have 30 days before the deactivated account is permanently deleted. Simply logging into WhatsApp is enough to stop the process. Unless we can't get the verification codes because someone has abused the system before and does it again after the required 12 hours.
However, this is still a lot of work for the "hacker" and it can be assumed that during a period of 30 days sooner or later the user will manage to obtain the code and log into the account before the attacker. The problem is that actually blocking access is not a matter of a month, but just 36 hours. If we "overload" the generator time at a time, then on the third cycle, instead of 12 hours, the program makes us wait "-1 second", which - as you can easily guess - completely blocks the entry of codes. There is also nothing to prevent us from reversing the order of steps: first force a permanent block, and only then send an email to technical support.
Most amusingly, the bug reported by Forbes is by no means new. Tsachi Ganot, CEO of Israeli firm Pandora Security, said that back in December his team reported (via Haaretz) a similar vulnerability. Importantly, even Pandora Security was not the first to discover the exploit. The company learned about it through its customers' problems and only then tested its mechanism. In an interview with Forbes, Ganot also stated that the issue was reported to Facebook, but the report was completely ignored. It was only after this that Pandora Security published an article dedicated to the vulnerability.
Apparently, this was also the case with Zak Doffman's text, because - as we read in the update posted by Forbes - the journalist reported his findings to Facebook as early as March 25. The company didn't say a word about plans to fix this "mistake." The company has only assured that those who engage in such practices will face the consequences. It was also recommended to add an e-mail address during two-step verification, which is supposed to be helpful in case a user encounters this type of problem.
The only blessing in all this confusion is the fact that this vulnerability does not enable someone to take over our account or any data on it. In other words, the "hacker" has no direct benefit from the attack. Not that there is no shortage of people that would do this out of pure malice. It's possible that after this and other "interesting" information, more users will follow in the footsteps of Mark Zuckerberg and switch to competitive messengers.