Another day, another new security glitch that has been underlined in the WhatsApp ecosystem. The latest one is a bit of a strange one, because it doesn’t involve exploiting a hidden zero-day hack, or any such predicament. Instead, what it does is exploit fine loopholes in the WhatsApp login and verification system to lock a user out of their WhatsApp chats, therefore causing disruption of workflow, loss of data and general inconvenience. Reported by security researchers Luis Carpintero and Ernesto Perena with Forbes, the said WhatsApp flaw is a very un-sophisticated attack that uses rudimentary but clearly effective techniques to potentially lock a user out of their account, forever.
The flaw starts with an attacker targeting a person’s phone number multiple times with login attempts. One thing to note here is that even when a person is logged in to their WhatsApp account, a third party can attempt to login using the former’s phone number on a different device – no questions asked. During this login process, attackers will clearly not have access to the six-digit one-time password that will be sent to the user’s device. At this stage, users may suddenly bombarded by WhatsApp login OTPs, even though they would not have requested it themselves. This is clearly an indication of something being wrong, although the unfortunate bit is that even for users aware of the issue, there isn’t much that they can do.
Subsequently, the attackers demonstrated how after a certain number of attempts, they were locked out of getting new login codes for 12 hours – citing security concerns. At this stage, the attackers sent an email to WhatsApp Support by stating that their account has been hacked or stolen, requesting them to block access to it on all devices. This is the surprising part, because even at the behest of a random email from an account that is not associated with a number, WhatsApp Support still proceeds to block access to an account – no questions asked. Even the actual user, who was still logged in to their WhatsApp account as usual, suddenly gets logged out at this point.
Hereon, there is no way for a user to get their account back, since they are also limited to the same restrictions as what the attacker would see. To make things worse, even after the stipulated 12-hour period, the attackers can repeat this process for two more rounds, and in the third round, WhatsApp appears to block access to their account, permanently – as in, the account will not be made recoverable after a stipulated number of hours, and all data will be permanently deleted if no actions are taken within 12 hours.
Carpintero and Perena, who discovered this engineered hack of WhatsApp, state that the real issue is the lack of verification at the email stage, and the complete circumvention of two-factor authentication in this process – something that should ideally have worked as a way for the actual owner of the account to bypass such a hacking attempt and regain or retain control of their own WhatsApp account. Instead, the issue here is that the WhatsApp 2FA screen comes after the OTP screen, which means that once locked out of receiving OTPs, the 2FA step is deemed completely pointless.
As a security step, the researchers stated that WhatsApp could look at multi-device linking and on-device authentication as a process, once the feature (which is presently in beta) is rolled out as a stable build. They also recommend WhatsApp to use 2FA as a circuit breaker of sorts in such a hack, and further state that the problem lies with WhatsApp’s easy public discoverability of accounts. A WhatsApp spokesperson told Forbes that such a set of actions by an attacker would be in violation of their usage policies, and users should provide their own email address alongside setting up 2FA, in order to add a layer of verification and prevent such a hack.
While the extent of effort required for such a hack, and the spoils gained from it would mean that this may only be applied for those looking to specifically target an individual for personal agenda and not as a mass attack, it still does not stop the attack from being quite severe in nature. Users, as always, are urged to stay vigilant, and not share their phone numbers beyond what’s necessary – or reveal their OTPs anywhere at all.