The heart of tech

This article was published on April 13, 2021


WhatsApp ‘flaw’ lets anyone lock you out of the app — but it’s complicated

Even having two-factor authentication enabled doesn't help

WhatsApp ‘flaw’ lets anyone lock you out of the app — but it’s complicated
Ivan Mehta
Story by

Ivan Mehta

Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh." Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh."

A new loophole in WhatsApp‘s authentication system allows an attacker to lock you out of the app, or in other words, deactivate your account. This sounds scary if you use the app frequently, but it’s worth noting the process to pull this off is fairly complicated and takes about 36 hours to execute.

Earlier this week, security researchers Luis Márquez Carpintero and Ernesto Canales Pereña shared their discovery of this flaw through an article in Forbes. Here’s how it works:

  • After installing WhatsApp, the attacker tries to login through your number by requesting authentication codes.
  • WhatsApp blocks sending codes for 12 hours after a certain number of attempts.
  • Meanwhile, the attacker sets up a new email and sends “a lost/stolen phone request” to WhatsApp support to deactivate your account.
  • WhatsApp support doesn’t really verify that if the email address is associated with your account, so it locks you out of the app.
  • After this, the attacker has to repeat the 12-hour cycle twice.
  • At the end of these three cycles, you and the attacker both will see “Try again after -1 seconds.” message, while trying to login through your number.
  • Now, you’ll have to contact WhatsApp support to recover this account.

This whole rigmarole sounds cumbersome like way too much work for an attacker to go through, simply to lock you out of your account. No data or money is extracted this way.

But the worrying part is that there’s no mechanism — like receiving an OTP — in WhatsApp support that asks you to verify yourself as the owner of your account. Plus, this method is successful in locking you out even if you’ve set up two-factor authentication.

WhatsApp said in a statement that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”

To do that, head to Account > Two-step verification, and after entering the secure PIN, you could provide an email ID to recover it. This email ID will also help WhatsApp in verifying your request. But you might have to still email WhatsApp support if you’re locked out. Bummer.

Also tagged with