Security vulnerabilities in WhatsApp lets hackers deactivate user accounts remotely

WhatsApp is undeniably one of the most loved messaging platforms of today, however recently it has put users at risk. Recently there was news of a scam that hacks into users’ contacts. A more severe vulnerability has come up that leverages WhatsApp’s verification system to enable attackers to permanently deactivate a user account.

The hack has been discovered by security researchers and it can pose a serious threat to WhatsApp users. Anyone with the user’s phone number can deactivate the account remotely. What’s more alarming is that even security measures such as two-factor authentication (2FA) cannot safeguard against such attacks.

The hack leverages the security weakness present in WhatsApp’s ID verification architecture. There are two ways, the first one is performed via the log-in-via-OTP process and the second is through the timer which WhatsApp sets automatically once there are a couple of login attempts.

During this process, the hacker who has your phone number and can begin feeding the number on the login screen. When the hacker works on the first step users won’t be affected and will be able to use WhatsApp like they normally would.

However, the user will continue to receive a string of messages as a hacker is attempting to feed in many codes in the login screen to go to the next step. In the next step, after numerous failed attempts, the platform will put a restriction on the number to generate any new code for a certain time period. This is when the attacker will leverage a fake email ID to send an account deactivation request to the platform. After about an hour or so WhatsApp will send the user account deactivation email.

When a user tries to re-register, an OTP will be required, which will no longer be generated as WhatsApp would have put a 12-hour restriction on new code generation.

Also, if this process continues in a loop there are chances that the automated verification system will break down as it would have reached its limit. This will make it impossible to generate new codes till eternity. If a user account remains deactivated for over 30 days, WhatsApp automatically deletes such accounts permanently.

The issue can be fixed by leveraging multi-device support that the company has been working on for some time. All that said, there is no actual workaround for this at the moment. So if a user is facing such an issue they must contact WhatsApp support immediately to secure the account.