Two researchers have been able to verify how anyone could block WhatsApp accounts just by knowing a phone number. To do this, you would simply have to ask to activate a certain phone number in the app installed on any phone.
The victim would receive the typical SMS that WhatsApp sends to anyone who wants to activate an account of the application on their number:
"WhatsApp code: (six digits, separated into groups of three with a hyphen)
Or follow this link to verify your number: (link that begins with the letter v and a period)
Do not share this code with anyone
The lack of accents would also be part of this SMS, as always happens when you receive these communications from WhatsApp. Now, who has not requested any WhatsApp code, could become the victim of an attack whose final objective is to block access to a user's account. The funny thing, according to the researchers who have shown this to Forbes, is that this entire process would be zero sophisticated and would take advantage of two major security vulnerabilities in the app.
As cybersecurity researchers Luis Márquez Carpintero and Ernesto Canales Pereña have explained to Forbes, an attacker could block us from our own account using only our phone number.
How can someone easily block your WhatsApp account?
The security flaw would take advantage of WhatsApp's own flaws. Keep in mind that anyone can enter the phone number of a WhatsApp user on their device. When the attackers do, the victim receive the six-digit verification code by SMS or by call, and also a notification within the messaging platform advising of the code request. Even if he is not the one who has requested this code. The user receives this code but can continue to use their WhatsApp account as normal.
Attackers can, at the same time, send an email to WhatsApp technical support to report that their phone has been stolen and that they want to deactivate the associated account indicating the number they are trying to block. In this process, the attacker only needs to confirm the phone number associated with the account. Here's the second basic WhatsApp bug that this attack takes advantage of. The company does not follow up to know if this information received by mail is real.
Behind this it may happen that WhatsApp technical support starts the process to deactivate the account. The victim will receive a notification that their number is no longer associated with the account. If the user tries to reset it and includes his phone number to do so, the application does not send a new code by SMS and warns that it is necessary to wait twelve hours.
The blockage is due to multiple requests have been made before. After those twelve hours of blocking, instead of enabling a new code, WhatsApp warns that there are "-1 seconds" left to generate a new SMS key, as can be seen in the following screenshot shared by the researchers with Forbes :
At this point "there will be no way to re-register WhatsApp on the phone when they kick you out of the application "and the user has to contact WhatsApp to do so.
For the experts the problem is that it is not a sophisticated attack and what it does is take advantage of weaknesses of WhatsApp in terms of security. In addition, a user can be a victim of this attack that will leave them without their account even if they have activated two-step verification, as researchers have been able to verify.
We have consulted the spokespersons for WhatsApp in this regard and are awaiting their response.
Last February, WhatsApp users were victims of a hoax that allowed attackers to steal the WhatsApp account. For this, one of the victim's own contacts was the vector of the attack. The victim received a code in your SMS to activate your account and then a contact wrote to ask for that number. If the victim fell for the trap, the attacker could steal the account from another phone.