It’s a bit of a process, but unfortunately, a fairly gaping hole (via Forbes) in the account management process has been uncovered with WhatsApp.
All the attacker needs are your phone number and a fresh device to get you disconnected from WhatsApp for 12 hours in the first instance. Even having Two-factor authentication enabled on your device won’t protect you and — at the time of writing — there is no plan to resolve the problem by WhatsApp.
The process is as simple as:
- Install WhatsApp on a new device
- Add your phone number and request a registration code the requisite number of times
- They then (once more codes are prevented) send an email notifying WhatsApp that the phone or account has been stolen and to deactivate the account
All of this can happen in a matter of minutes and there’s nothing you can do about it. The only warning sign you’ll get is the multiple SMS or authentication phone calls from the WhatsApp service to register a new device. Once the email is received and processed, your WhatsApp simply stops working.
Now, in reality, this shouldn’t be difficult to address with some form of verification to the request for deactivation. Whether that takes the form of a call to a registered number, email to a verified address or “backup password”. Something the team at Forbes approached with WhatsApp who issued the statement:
Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.
As a consumer, I’d like some reassurance that my account is secure from such attacks when the fix seems so simple.