Attackers found a way to block WhatsApp

how informs Forbes, attackers have come up with a new way to make the lives of WhatsApp users worse. All you need to do is know your phone number - and even two-factor authentication won't hurt.

It works like this. The attacker installs WhatsApp on his smartphone and enters your number. For authorization, his messenger asks for a code - which comes to your phone, but you ignore it because you didn't ask for it and think it's a mistake. The problem is that getting the code was not the goal.

The attacker enters random codes over and over again, without even trying to guess the correct one. After several unsuccessful attempts, the system blocks the sending of new codes for 12 hours. Thus, your messenger is working fine, but the sending of authorization codes is suspended. In theory, this will not be a problem if you do not need to go through verification again during this time.

But then the same attacker creates a new email and writes to technical support that his phone number [your number] was stolen, and asks to deactivate the associated account. Technical support does not check in any way whether the number belongs to him, and deactivates the account.

And only at this stage the user starts having problems: a message appears that the phone number is not registered with WhatsApp. You can send a verification code to try to log into your account. But the system warns that you have made too many unsuccessful input attempts and must wait 12 hours. Entering the codes that you received earlier does not work.

If you just fell victim to a bad joke, after 12 hours you can regain access. However, an attacker may not send a request to technical support, but instead repeat the process of requesting codes after the timer expires. The third time (that is, after 24 hours from the first attack) the system breaks down: the timer displays not 12 hours, but -1 second - and on both smartphones. It is impossible to fix this.

If you then send a request to technical support, the account is deactivated permanently, because the timer is broken. This is the worst possible development of events.

How is this possible?

The reason is simple: in fact, the messenger is tied only to the phone number and does not compare the operating system and the device identification number. In addition, the users themselves do not have any protection from outsiders: if you enter someone's number in the messenger and an account is linked to this number, it will be displayed. You cannot limit the visibility of your account.

Thus, it is not difficult to find out who is registered with WhatsApp. At the same time, users' phone numbers regularly surface in leaks - like the recent massive plum Facebook databases.

It is not difficult to fix both problems: it is enough to give users the ability to hide their account from the search and add method of identification when entering from a new device: for example, confirm it through an already authorized one in the system gadget.

What if they try to block the account?

WhatsApp representatives said that victims of such attacks should contact technical support: such actions are contrary to the rules for using the platform. It is worth doing this as soon as you notice an SMS with WhatsApp access codes that you did not ask for.

They also advised linking an email to your account to make it easier to restore access. There were no statements about increasing security so that an outsider could not block your messenger.