This dangerous WhatsApp flaw lets anyone suspend your account, here’s how to protect yourself

WhatsApp hasn't mentioned anything about a fix for this flaw.

Highlights
  • New WhatsApp flaw lets attackers suspend your account if they have your phone number.
  • The attacker initially requests and enters incorrect multiple two-factor SMS codes that will lock out WhatsApp sign-ins on their device for 12 hours.
  • WhatsApp recommended that users provide an email address with two-factor authentication to help support executives if they run into this problem.

A new WhatsApp flaw has been discovered that lets anyone suspend your account through a two-factor authentication attempt. According to a Forbes report, security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered a flaw that lets attackers suspend your account if they have your phone number. The attacker initially requests and enters incorrect multiple two-factor SMS codes that will lock out WhatsApp sign-ins on their device for 12 hours. After that, the perpetrator registers a new email address and emails the WhatsApp support team asking to deactivate the number with a lost or stolen account as the reason. Without verifying the authenticity, WhatsApp automatically disables the number and you will find yourself locked out with no input required from your side.

How to protect yourself from this WhatsApp flaw

While you can get back your WhatsApp account after the 12-hour window, the attackers can try to permanently block you out by repeating the code requests two more times and then wait for the third period to email the company. Once they do that, you will be asked to wait “-1 seconds” and have no other option but to ask Whatsapp’s help to recover your account. In a statement to Forbes, WhatsApp hasn’t mentioned a solution for the flaw but it recommended that users provide an email address with two-factor authentication to help support executives if they run into this problem.

Considering attackers are usually interested in hijacking accounts instead of disabling them, you will probably know something is wrong during the first batch of SMS code requests. You can immediately reach WhatsApp support if you notice any such suspicious activity. This raises concerns about WhatsApp account security but it could technically put an end to this flaw by relying on trusted devices rather than phone numbers and manually verify deactivation requests to lure out suspicious activity.