WhatsApp ‘flaw’ lets anybody lock you out of the app but it’s complex.


A new vulnerability in WhatsApp’s authentication system allows an attacker to block you from the application, or in other words, deactivate your account. This seems scary if you use the application frequently, but it is worth noting that the process to do so is quite complicated and takes about 36 hours to run.

Earlier this week, security researchers Luis Márquez Carpintero and Ernesto Canales Pereña shared their discovery of this fault with a story in Forbes. It works like this:

  1. After installing WhatsApp, the attacker tries to connect via your number by asking for credentials.
    WhatsApp blocks the sending of passwords for 12 hours after a number of attempts.
  2. Meanwhile, the attacker creates a new email and sends “a lost or stolen phone request” to WhatsApp’s support team to deactivate your account.
  3. WhatsApp support does not really check whether the e-mail address is associated with your account, so it blocks you out of the application.
  4. After that, the attacker must rehearse the 12-hour cycle twice.
  5. At the end of these three cycles, you and the attacker will both see the “Try again after -1 seconds” message, while attempting to log in from your number.
  6. Now you will need to contact WhatsApp support to collect this account. All this rigmarole looks heavy as far as too much work for an attacker to go through, simply to lock you out of your account. No data or money is taken out that way.

But the concern is that there is no mechanism like receiving a OTP in WhatsApp support that asks you to verify yourself as the owner of your account. What’s more, this method succeeds in blocking you even if you have configured a two-factor authentication.

WhatsApp stated in a statement that “providing an email address with your two-step audit helps our client service team help people deal with this unlikely issue.”

To do this, go to Account > 2-Step Verification, and after entering the secure PIN, you can provide an email ID to retrieve it. It will also help WhatsApp verify your application. However, you may still need to send an email to WhatsApp support if you are blocked.

See Also “How to check if hackers are sharing your Facebook data“.



Please enter your comment!
Please enter your name here