Security researchers are warning of a new attack that will lock users out of their WhatsApp accounts. Even if two-factor authentication is activated. All it takes is the cell phone number.
Reports from users who lose access to their Whatsapp account are nothing new. In most cases, a PIN that was previously received as an SMS was passed on: The sequence of numbers is a verification code. If this is passed on, you usually lose access to your account within minutes.
But now security researchers are warning of a new scam. This allows attackers to block WhatsApp accounts and only with the target person’s cell phone number. “That should not happen. That must not be possible. Not with a messenger that is used by two billion people, ”writes journalist Zak Doffman in a corresponding article Forbes.com.
Post Contents
Two weak points
In the article he describes how two security researchers deactivated his Whatsapp account. «Luis Márquez Carpintero and Ernesto Canales Pereña warned me that they can block my Whatsapp. I was skeptical – but they were right, ”writes Doffman.
“The newly discovered vulnerability affects two WhatsApp processes, both of which have fundamental weaknesses. With the combination of vulnerabilities, WhatsApp accounts can be deactivated remotely, ”he explains. All an attacker needs is the cell phone number and a few tricks. We deliberately do not provide a precise description at this point.
“Not possible to fight back”
“Locking someone out of WhatsApp shouldn’t be that easy and shouldn’t work at all if two-factor authentication is switched on,” writes Doffman. With the discovery, the IT security researchers also want to draw attention to another Whatsapp problem: “With Whatsapp there is no way to defend yourself, to be discovered. Anyone can type in a phone number and find the associated account, if it exists, ”says the text.
Whatsapp declares in a statement that the “identified circumstances” violate the terms of use. Anyone who needs help with this “unlikely problem” can contact support. The contact can be found in the settings under the menu item Help. In addition, an email address can be entered in addition to the mobile phone number when activating the verification in two steps.
