The WhatsApp messaging application contains a security flaw that allows cybercriminals to block any user’s account just by knowing their associated phone number, in a process that can be carried out in twelve hours. This has been alerted by cybersecurity researchers Luis Márquez Carpintero and Ernesto Canales Pereña, who have explained that the vulnerability affects even users who have activated the two-factor authentication system that WhatsApp uses to incorporate an additional layer of security, as stated Forbes. The security failure of the ‘app’ is due to two independent processes in WhatsApp that, used by a cybercriminal, allow him to block an account and prevent the owner from accessing it again. The first part of the vulnerability is that anyone can enter the phone number of a WhatsApp user. In that case, the victim receives the six-digit verification code by SMS or by call, and also a notification advising of the request for the code, and reminding that it should not be shared with anyone under any circumstances. The problem is that cybercriminals can carry out this process while the user continues to use their WhatsApp account in a normal way, just by knowing the victim’s phone number. By repeatedly entering an erroneous SMS password -which the user will ignore because he has not requested it or has the possibility to enter it-, cybercriminals can select the option given by the application to send a new code within twelve hours, which blocks the introduction of security codes in the meantime. As a second part of the vulnerability, cybercriminals can send an email message to WhatsApp support, warning of an alleged theft of the phone and requesting that the account be deactivated. In this process, you only need to confirm the phone number associated with the account. After this, WhatsApp begins the process to deactivate the user’s account, and the victim receives a notification to notify them that their phone number is no longer associated with the account. When you try to reset and the phone number is entered, WhatsApp does not send a new code by SMS and warns that it is necessary to wait twelve hours because too many requests have been made before. However, after twelve hours, instead of enabling a new code, WhatsApp warns that there are “-1 seconds” left to generate a new SMS key. This error message is displayed to both the victim and the attacker. In this way, the user’s account is permanently blocked, according to the researchers, and the victim will only be able to reactivate it if they contact WhatsApp support directly to review the case manually.
–
The WhatsApp messaging application contains a security flaw that allows cybercriminals to block any user’s account just by knowing their associated phone number, in a process that can be carried out in twelve hours. This has been alerted by cybersecurity researchers Luis Márquez Carpintero and Ernesto Canales Pereña, who have explained that the vulnerability affects even users who have activated the two-factor authentication system that WhatsApp uses to incorporate an additional layer of security, as stated Forbes. The security failure of the ‘app’ is due to two independent processes in WhatsApp that, used by a cybercriminal, allow him to block an account and prevent the owner from accessing it again. The first part of the vulnerability is that anyone can enter the phone number of a WhatsApp user. In that case, the victim receives the six-digit verification code by SMS or by call, and also a notification advising of the request for the code, and reminding that it should not be shared with anyone under any circumstances. The problem is that cybercriminals can carry out this process while the user continues to use their WhatsApp account in a normal way, just by knowing the victim’s phone number. By repeatedly entering an erroneous SMS password -which the user will ignore because he has not requested it or has the possibility to enter it-, cybercriminals can select the option given by the application to send a new code within twelve hours, which blocks the introduction of security codes in the meantime. As a second part of the vulnerability, cybercriminals can send an email message to WhatsApp support, warning of an alleged theft of the phone and requesting that the account be deactivated. In this process, you only need to confirm the phone number associated with the account. After this, WhatsApp begins the process to deactivate the user’s account, and the victim receives a notification to notify them that their phone number is no longer associated with the account. When you try to reset and the phone number is entered, WhatsApp does not send a new code by SMS and warns that it is necessary to wait twelve hours because too many requests have been made before. However, after twelve hours, instead of enabling a new code, WhatsApp warns that there are “-1 seconds” left to generate a new SMS key. This error message is displayed to both the victim and the attacker. In this way, the user’s account is permanently blocked, according to the researchers, and the victim will only be able to reactivate it if they contact WhatsApp support directly to review the case manually. –
–
