technology

WhatsApp users will be shocked by this major security flaw


Anyone with your phone number could deactivate your WhatsApp account from anywhere (Photo by Cem Genco/Anadolu Agency via Getty Images)

A chink in WhatsApp’s armour was discovered recently that could allow anyone to deactivate your account just by sending an email to a specific address.

Cybersecurity expert, Jake Moore, brought WhatsApp’s attention to the issue on Twitter this week.

‘So let me get this right, I can type in ANY number and you will deactivate that account?’ wrote Mr Moore posting screenshots of WhatsApp’s help page.

The vulnerability stems from how the messaging service handled lost or stolen phones. In such a scenario, users could easily deactivate their accounts with a single message.

Email us the phrase “Lost/Stolen: Please deactivate my account” in the body of the email and include your phone number in full international format as described here,’ reads WhatsApp’s help page in case of a lost or stolen phone.

However, they might have made deactivating an account too easy, so even a hacker, abusive partner or anyone with your phone number could deactivate your WhatsApp account from anywhere. The process took under a minute.

This is what comes up on the target phone (Picture: Jake Moore)

While de-activation does not mean your account will be deleted, it still means you’ll be logged out of your account and possibly lose your message threads if it wasn’t backed up to the cloud.

‘Cybercriminals could have very easily deactivated any WhatsApp number resulting in that account not receiving any messages until the account owner opened their app to reactivate it,’ said Mr Moore.

‘Strangely, no notification is sent to the device once it occurs meaning people could have been locked out for some time.’

Readers Also Like:  'Crypto King' Sam Bankman-Fried guilty of FTX fraud

Mr Moore added that the most worrying aspect was that no checks were made by WhatsApp as any unregistered email address could deactivate any WhatsApp number from one email to WhatsApp Support.

‘Losing your phone is an awful experience and we want to help people if we can. The best thing to do is lock your SIM or deactivate your phone if that feature exists. In certain instances we may also be able to log you out on your behalf, until you find your phone again. If we’re able to help, we may ask for more information via e-mail,’ said a WhatsApp spokesperson.

The issue has since been fixed, with WhatsApp asking for proof that an account belonged to you, such as a copy of your phone bill or contract.

You’ll need proof to deactivate your account now (Picture: Jake Moore)

This still poses a problem if you did have you phone stolen or lost on a night out and you couldn’t deactivate it instantly.

‘Losing your phone is an awful experience and we want to help people if we can. The best thing to do is lock your SIM or deactivate your phone if that feature exists,’ said a WhatsApp spokesperson.

‘In certain instances we may also be able to log you out on your behalf, until you find your phone again. If we’re able to help, we may ask for more information via e-mail.’

While it’s a tricky problem, Mr Moore believes that the best way around it could be for every account to be assigned a unique email address that can deactivate it.

Readers Also Like:  UK phone repair apprenticeship needed, says firm

‘Two step verification is offered to all WhatsApp accounts but this is not enabled by default which remains a problem for hijacked accounts. When two step verification is turned on accounts are far better protected from account compromise.’ said Mr Moore.


MORE : Boris Johnson still hasn’t passed WhatsApps to Covid inquiry because he ‘forgot his passcode’


MORE : Michael Cera wasn’t included in Barbie cast WhatsApp group for hilarious reason





READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.