How to Prevent Attackers From Blocking You on WhatsApp
While the result is more annoying than dangerous, the recently used feature of WhatsApp’s two-factor authentication system seems to allow an attacker to ban you from your account relatively easily for various times. And all an attacker needs to deal with this, at the time of this writing, is to know the phone number that you associated with your WhatsApp account. That’s all. The attack itself is pretty simple. As Android Police describes:
This recently discovered flaw uses two different vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it because of course the two-factor authentication system sends login requests to your phone instead. After several repeated and unsuccessful attempts, your login is blocked for 12 hours.
This is where the tricky part comes in: when your account is blocked, the attacker sends a support message on WhatsApp from their email address, claiming that their (your) phone was lost or stolen, and that the account associated with your number should be deactivated. WhatsApp “confirms” this with a reply email and suspends your account without any action on your part. An attacker could repeat the process several times in a row to create a semi-permanent lockout of your account.
The good news here is that attacks cannot actually be used to hack into your account, but simply to piss you off by making your account unusable for a period of time (potentially permanently if an attacker really dedicated).
WhatsApp told Forbes that the easiest way to protect yourself from this type of attack is to make sure you associate an email address with your two-step verification process so that an attacker can’t spoof your identity. You can do this right now by opening WhatsApp , loading its preferences , clicking Two-Step Verification and entering your email address (or by making sure you have already done so).
This will not block the attack as such, but it will make it much easier for WhatsApp support to help you if you find yourself in a feedback loop that “does not allow my account to be authenticated” – which will happen if an attacker contacts WhatsApp impersonating you and declares that your account has been hacked and that WhatsApp should deactivate it. (You will then “receive” the codes to cancel the erroneous deregistration, only you will not be able to enter them due to a previous trick that temporarily blocked you for entering too many invalid 2FA codes.)
As Forbes’ Zach Doffman writes:
This is not difficult and should be fixed easily. WhatsApp can ensure that an app on a registered two-factor authentication device can prevent this problem by using two-factor authentication as a circuit breaker. Even easier, when access to multiple devices eventually comes up, WhatsApp could use the concept of a trusted device so that one trusted app can check for another. It is a much better system to fix this vulnerability.
I expect WhatsApp to look into this issue and fix the 2fA verification process (or account deactivation process) to make these types of staged attacks ineffective. In the meantime, perhaps consider using a completely different WhatsApp number if possible to minimize the risk of being blocked.