Given the popularity and amount of personal data that can be accessed from WhatsApp, the chat platform is a prime target for hackers. There’s a new security flaw in WhatsApp that may allow almost anyone to delete your WhatsApp account without your knowledge. All that the personal requires is your phone number and zero ‘hacking skills’. Of course, by deleting your WhatsApp account, the attacker will not get any access to your personal data. Having said that you may stand to lose your What account forever and may need to open a new account to continue using WhatsApp.
As per a report by Forbes, security researchers Luis Márquez Carpintero and Ernesto Canales found out that it is relatively easy to lock out a WhatsApp user by simply entering wrong two-factor-authentication (2FA) codes multiple times.
After entering multiple wrong codes, WhatsApp automatically locks the account for 12 hours. The attackers then register a new email address with the WhatsApp account and email WhatsApp’s support team requesting them to delete the account as the “number due to a lost or stolen account.”
The report claims that WhatsApp’s support team actually deletes the account without further verification.
While this may sound scary, this attack is not that easy to carry out in real life. This is simply because WhatsApp requests for an OTP verification over SMS first before asking for the 2FA code. This means the attacker needs to have access to your phone first to get the OTP or find other ways to steal the OTP from your device.
This means that for this attack to actually work, the person needs to know you and with whom you are confident to hand over your phone. Or, there is a possibility of a remote attacker who can use any remote desktop app to steal the OTP from your phone. But the chances of a remote attacker exploiting this is less as very few hackers would want to take the pain of a remote attack only to delete your account.
WhatsApp had introduced 2FA to safeguard from attackers using WhatsApp on another device without letting the victim know about it. While the system works well, no one would have thought that someone sitting next to you may simply want to delete your WhatsApp account instead of hacking it.