New Exploit Allows Hackers to Lock WhatsApp Accounts Using Only a Phone Number

Recent reports reveal two critical vulnerabilities in WhatsApp’s security system that cybercriminals are exploiting to disrupt users’ access to their accounts.

According to Forbes, attackers have devised a method to lock WhatsApp accounts by simply knowing the victim’s phone number, bypassing even two-factor authentication safeguards.

Here’s how the attack unfolds: the hacker installs WhatsApp on their device and registers using the victim’s phone number. During verification, WhatsApp sends a code to the victim’s phone, which is typically ignored as it appears unsolicited. However, receiving this code is not the attacker’s goal.

The attacker repeatedly inputs random verification codes without trying to guess the correct one. After several failed attempts, WhatsApp temporarily blocks sending new codes for 12 hours. While the victim’s WhatsApp remains functional, the authorization code delivery is suspended, which can cause issues if re-verification is needed during this period.

Next, the attacker creates a new email account and contacts WhatsApp support, falsely reporting that the phone linked to the victim’s number was stolen and requests account deactivation. Support teams, lacking verification procedures, deactivate the account.

At this stage, the victim encounters error messages indicating their number is no longer registered with WhatsApp. Attempts to receive verification codes are met with warnings about excessive failed attempts, requiring a 12-hour wait. Previously received codes no longer work.

If this is a prank, access can be restored after 12 hours. However, if the attacker repeats the process after the timer resets, the system malfunctions: the timer shows -1 seconds on both devices, making recovery impossible.

Submitting a support request after this glitch leads to permanent account deactivation without recovery options — the worst-case scenario.

Why Does This Happen?

WhatsApp relies solely on phone numbers for account identification without cross-verifying device operating systems or unique device IDs. Additionally, users cannot hide their accounts from appearing when their number is entered in the app, exposing them to potential abuse.

This lack of protection makes it easy to identify WhatsApp users by phone number. Moreover, phone numbers frequently appear in data leaks, such as the recent massive Facebook database breach.

Fixing these vulnerabilities is straightforward: WhatsApp should allow users to hide their accounts from search and implement device verification steps when logging in on new devices, such as confirming via an already authorized device.

How to Protect Yourself from Account Lockouts

WhatsApp representatives advise victims of such attacks to promptly contact support, as these actions violate platform policies. Immediate reporting upon receiving unsolicited verification codes is crucial.

They also recommend linking an email address to your WhatsApp account to simplify recovery. However, no announcements have been made regarding enhanced security measures to prevent unauthorized account blocking.

*Note: Meta Platforms Inc. and its services, including Facebook and Instagram, are restricted in certain regions.

Discover the latest news and current events in Top Categories as of 10-04-2022. The article titled " New Exploit Allows Hackers to Lock WhatsApp Accounts Using Only a Phone Number " provides you with the most relevant and reliable information in the Top Categories field. Each news piece is thoroughly analyzed to deliver valuable insights to our readers.

The information in " New Exploit Allows Hackers to Lock WhatsApp Accounts Using Only a Phone Number " helps you make better-informed decisions within the Top Categories category. Our news articles are continuously updated and adhere to journalistic standards.