WhatsApp is the world’s most popular chat app, with well over 2 billion users exchanging end-to-end encrypted texts and making calls across the platform. Like most instant messaging apps, WhatsApp is available on iOS and Android. The difference between WhatsApp and its competitors is that strong encryption is enabled by default, just like in iMessage and Signal. The app’s strong security won’t be compromised by the controversial policy change that Facebook had to postpone to May after people flocked to competing services in early 2021.
The app’s security doesn’t just apply to chats and calls. WhatsApp has measures in place to prevent anyone from accessing your account as well. There are no usernames or passwords in WhatsApp, as one’s unique phone number functions as the login. For someone to get access to your conversations, they’d need direct access to your phone — even then, you can protect chats with biometrics or passwords. But it turns out there is a “hack” that malicious individuals are using to infiltrate the app. As long as an attacker knows your number, they could potentially be able to lock you out of your chats. The good news is that the process isn’t just cumbersome; it’s also mostly pointless.
First reported by Forbes (via The Next Web), the entire process takes about 36 hours thanks to WhatsApp’s security features that are in place to protect users. To trigger the attack, the hacker would have to install WhatsApp and try to login using your number by requesting authentication codes.
WhatsApp will keep sending codes to the user, but it will block the verification process for 12 hours after a certain number of attempts. The targets wouldn’t have any way to know that the hack is taking place, but they should be alarmed by a large number of verification codes coming their way.
The attacker then has to set up an email address and send “a lost/stolen phone request” to WhatsApp to deactivate your account. WhatsApp will then lock you out of the app. You should be able to restore access to WhatsApp at this point. The attacker then has to repeat the 12-hour cycle twice. Once that’s done, both the attacker and the target will see the same “Try again after -1 seconds” message while attempting to login. The target will have to contact WhatsApp support to recover their account at this point.
In the end, the attacker doesn’t get access to your account, and, at best, can block you out of your chats for a few days. WhatsApp is aware of the attack and said in a statement that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”
You should consider using two-step verification to increase your WhatsApp security, especially if you’ve been targeted by such an attack. The good news is that you’ll know that somebody is trying to lock you out the moment you start receiving texts from WhatsApp with verification codes you never requested. If that happens, you should try to contact WhatsApp yourself and warn them that you might be the target of an attack. The hacker would still need 36 hours to lock you out of your account, which gives you plenty of time to react.
Still, the vulnerability issue that researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered should not exist, and WhatsApp should find ways to prevent these attacks from happening. Per Forbes, WhatsApp would not confirm that it plans to fix the problem in order to prevent future abuse. WhatsApp plans to bring multi-device access to the app, at which point it will have to devise a way for a user to authorize multiple devices safely. Fixing the security loophole described above could be a side-effect of a new verification process for multi-device WhatsApp use, but that’s just speculation at this point.
If you think anyone has any reason to target your WhatsApp account, you should consider installing additional services, like Signal and Telegram. The former offers end-to-end encryption by default. The latter lets you enable the feature on a per-chat basis, but it also features a tool to import all of your WhatsApp chats with ease. iPhone users also have access to iMessage, the phone’s default chat and SMS app.