Getting phished on WhatsApp is a very common thing nowadays. However, this newly discovered flaw from WhatsApp is by far the most dangerous amongst all.
As reported by India Today, Security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña were the first ones to discover this flaw. The flaw works in a way that nobody believe that something like this could possibly happen.
The researchers have found that the attackers will first download WhatsApp on their phones and attempt to log in using the victim’s mobile number. When that is being done, WhatsApp’s two-factor authentication system immediately sends a code to the victim’s phone number.
This does not allow the attacker to gain access to the account, but he will repeat the process until WhatsApp disables login for 12 hours. This stops both the victim and attacker to log in to their WhatsApp account for 12 hours.
The next thing that the attackers will do is email WhatsApp, requesting them to deactivate or suspend the phone number of the victim, claiming that the victim’s phone has been lost or stolen.
WhatsApp without cross-checking or asking for any inputs from the victim deactivates the WhatsApp account. If the process is repeated, WhatsApp can lock the account permanently.
“There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” the researchers said.
Responding to this, a WhatsApp spokesperson said that providing an email address with your two-step verification helps their customer service team assist people should they ever encounter this unlikely problem.
He added that circumstances identified by this researcher would violate our terms of service, and they encourage anyone who needs help to email the support team, so they can investigate on it.