Security researchers have discovered a new security issue in WhatsApp that could allow a hacker to remotely suspend your account using your phone number. This vulnerability reportedly existed in the app for a long time due to a fundamental weakness.
This puts billions of WhatsApp users at risk since a hacker could remotely deactivate your account and restrict you from activating it again. This security flaw can reportedly be exploited even if you are using two-factor authentication (2FA) for your WhatsApp account.
According to security researchers Luis Márquez Carpintero and Ernesto Canales Pereña, the flaw exists due to two fundamental weaknesses. The first weakness allows the hacker to gain access to your phone number. This will not give the hacker access to your WhatsApp account, since they won’t have the 6 digit code you will get on your phone.
However, multiple failed attempts with the wrong code would block code entries for the hacker on his WhatsApp app. The attacker will then be able to contact WhatsApp support to deactivate your phone number from the app. They will only need a new email address and a simple email saying that the phone has been lost or stolen.
In response, the hacker will get an email from WhatsApp for confirmation to which they can quickly respond. This will deactivate your account even if you have 2FA enabled.
WhatsApp has said that users can avoid this problem by registering their email addresses on their WhatsApp account.
Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate
WhatsApp has not, however, revealed if they are working on fixing this problem.