Though the result is more annoying than dangerous, a newly exploited quirk of WhatsApp’s two-factor authentication system does appear to make it relatively easy for an attacker to lock you out of your account for varying amounts of time. And all a bad actor needs to pull it off, as of this writing, is to know the phone number you’ve associated with your WhatsApp account. That’s it.
The attack itself is pretty easy to execute. As Android Police describes:
This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.
Here’s where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.
The silver lining here is that the attacks can’t actually be used to break into your account, merely to piss you off by rendering your account unusable for a period of time (potentially permanently, if the attacker is truly dedicated).
WhatsApp representatives told Forbes that the easiest way to protect yourself against this kind of an attack is to make sure you’ve associated an email address with your two-step verification process so the attacker won’t be able to spoof your identity. You can do that right now by pulling up WhatsApp, loading its Settings, tapping on Two-Step Verification, and inputting your email address (or checking to make sure you’ve already done so).
This isn’t going to block the attack per se, but it’ll make it a lot easier for WhatsApp’s customer service team to help you out should you find yourself in a “prevented from authenticating my account” feedback loop — which is what will happen if an attacker reaches out to WhatsApp posing as you, claiming that your account has been hacked and that WhatsApp should deactivate it. (You’ll then “receive” codes to revert the mistaken de-registration, only you won’t be able to input them because of the previous trick, which will have temporarily banned you for entering too many incorrect 2FA codes.)
As Forbes’ Zak Doffman writes:
This isn’t complex and should be easily fixed. WhatsApp could ensure that an app on a device with 2FA registered can prevent this issue, using 2FA as a circuit breaker. Even more simply, when multi-device access eventually appears, WhatsApp could use the trusted device concept to enable one verified app to verify another. This is a much better system and would shut down this vulnerability.
I would expect that WhatsApp is looking into this issue and will be patching up the 2fA-verification process (or account-disabling process) to render these types of drive-by-style attacks ineffective. In the meantime, perhaps consider using a different WhatsApp number entirely, if possible, to minimise the risk you’ll be locked out.