Facebook’s problems do not stop growing. This time it is a security hole found last weekend in the popular WhatsApp messaging service. Two Spanish students and researchers, Luis Mrquez Carpintero and Ernesto Canales Perea, have detected a problem, which has also been present for years in the service, whereby any malicious actor could suspend the account of any user simply by knowing their telephone number. .
It is of no use that the affected user may or may not have two-factor authentication, since the problem persists in both cases, so that right off the bat they may find it impossible to access their WhatsApp account.
At the moment the expected solution from WhatsApp does not arrive
This discovery was initially published in the Forbes publication. The procedure is that, once the malicious actor has tried to access the account of the affected person without any success, reaching the limit of allowed attempts, blocks new attempts for twelve hours, being taken advantage of by the malicious actor to contact WhatsApp technical support with any email address, urging the deactivation of the account associated with the phone number (of the victim) due to theft or loss.
This is where WhatsApp technical support comes in, which verifies that a request has come to you from an active email address, regardless of whether or not a disposable email address service has been used, or verifies the relationship of the request email address to the phone number of the aforementioned account, temporarily suspending the account of the affected user.
The victim, when trying to enter his WhatsApp account, You will find an alert message advising you that Your phone number is no longer registered in WhatsApp on this phone.
The worst, according to the discovery of Luis Mrquez Carpintero and Ernesto Canales Perea, is that the malicious actor You can also repeat the same operation, leading to the user’s account being affected almost permanently.
At the moment, WhatApp does not remedy the situation, despite the fact that it can be done anonymously from any mobile device by anyone, avoiding assuming its responsibilities as a service, despite the fact that this situation violates its terms and conditions, being in the hands of the support technician avoid exploiting these types of attacks.