Researchers discover that a user’s phone number is enough to block their account, regardless of whether they have the second factor of authentication activated
WhatsApp It is one of the most used applications worldwide, however in recent months several faults what they put in risk security of its users.
Researchers discovered a new gap that allows lock account of a user just by knowing his phone number. According to the experts, it does not matter if the second factor of authentication is active.
According to cybersecurity analysts, hackers could have access in twelve hours thanks to the vulnerability.
How can you block an account just by knowing the phone number?
Luis Márquez Carpintero and Ernesto Canales Pereña explained to Forbes that the problem comes from two independent processes in WhatsApp which, used by a cybercriminal, allow you lock an account and prevent the owner from being able to access it again.
In this sense, it was explained that the first vulnerability is that anyone can enter the phone number from a user of WhatsApp.
Even if they don’t know the verification code, a wrong password can be entered multiple times. And then ask to send a new code within twelve hours, which blocks the entry of security codes in the meantime.
Here the cybercriminals take advantage of a second vulnerability. And they send an email to the support of WhatsApp notifying of an alleged theft of the phone and asking that the account be deactivated. For this process it is only asked to confirm the telephone number.
The platform does not verify whether the email comes from a legitimate user. Since there are no questions to confirm that the account owner is spoken to.
What can users do with the WhatsApp vulnerability?
Since then WhatsApp the process begins for deactivate account of the user. The victim only receives a notification that the number is no longer associated with the account.
“When you try to reset and you enter the phone number. The application does not send a new code by SMS and warns that it is necessary to wait twelve hours because too many requests have been made before “
After time, a message arrives both to the user and to the hacker warning that there is 1 second left to generate a new key. In this way, the user’s account is blocked up permanently, the researchers explain.
Unfortunately there is not much the user can do. Therefore, experts recommend informing if you receive activation codes from WhatsApp that were not requested.