A crazy hiatus is discovered
Anyone can block your Whatsapp account – and there’s nothing you can do about it
Whatsapp is the most popular German messenger
© Whatsapp and mdphoto16 / Getty Images
There are always reports of stolen Whatsapp accounts. Two-factor authentication should protect against this. But it is precisely this process that can be used to block accounts completely – without the owner being able to do anything.
No contact with friends, colleagues, family, class group, or digital meeting: Suddenly banning you completely from WhatsApp is likely to be a nightmare for many people. After all, Messenger is the most important app for most Germans. But this is exactly what anyone can do for you. All you need is your phone number.
This was just discovered by security experts, reports “Forbes”. Accordingly, any WhatsApp accounts can be shut down by combining two vulnerabilities that themselves could not cause any harm. Particularly dramatic: You don’t need any tools other than an email address to attack. It also works if two-factor authentication is turned on for account lockout.
Whatsapp: This is how the blocking attack works
The attack starts with two metrics that should be of help to the users. If you logged into Whatsapp with a new smartphone, you must verify your identity for the device with an SMS code. This is exactly what the attackers are doing now. The SMS ends with the person who already owns the account. But she couldn’t do anything with it. The symbol entry mask appears only on the new device. The target of the attacker is different anyway: if you have too many SMS messages sent, Whatsapp will put a stop to them at some point – and won’t allow any further inquiries for 12 hours.
So far, this is not a problem for those affected: you can use WhatsApp as normal. Except for random SMS with security queries, you have no drawback, as long as you don’t want to transfer WhatsApp to another device yourself at this moment. But now the stage is two groups.
Suddenly closed
Again, this is actually a security measure. In order to be able to block a stolen Whatsapp account, the messaging software provides the option to request blocking by email. If one of them hasn’t saved anyone yet, the attacker can simply log in with one. Then block the account. After a short time, the corresponding message suddenly appears on the victim’s smartphone: This phone number is no longer registered in Whatsapp. To fix the problem, you must verify your identity again via SMS – but this option is now closed, first-time user learns. You were disconnected from the messenger until the ban period expired.
However, this fraud is only getting worse due to a strange Whatsapp bug, security experts discovered. Because: If the attackers block the query of the code not just once but a total of three times, there is no 12 hour wait time. Instead, the app displays a wait time of -1 second. Of course, this never goes away: the account can no longer be activated without further ado.
The fact that the scam works at all is also due to Whatsapps customer support: apparently, the email support automatically reacts to the request to block the account, and there does not seem to be an inquiry by an employee or via the phone number. The latter is completely understandable: How is Whatsapp supposed to make sure the number is the correct number when a support request is concerned with waiving this number. However, the fact that in the various set of steps, accounts of inexperienced users can be stolen without their participation and without technical knowledge on the part of the attacker, is definitely a problem that must be taken very seriously.
This is how Whatsapp reacts to the error
Faced with this by Forbes, Whatsapp Facebook parent company has reacted significantly. A spokesperson for the magazine said it was an “unlikely scenario”. The company emphasized that “the conditions described by the security researchers violate our terms of use,” as if that would reduce the likelihood of an attack. Whatsapp Recommendation: To protect themselves from attack, users should save an email address themselves. This would fill in a loophole for blocking by a third party. “We recommend that anyone who needs help send an email to our support team so they can look into the case.” According to the report, the spokesman did not want to answer whether the bugs and errors used will be fixed in the near future.
This does not help users, who now fear losing their account, at first. There is at least an obvious warning sign: if you suddenly receive several requests to enter a security code on WhatsApp without asking for it yourself, this indicates an attempt to block the account. Then, however, swift action is required: After the first ban occurs, attackers have to wait at least 12 hours for the next wave to start. After another 12 hours, if in doubt, the account is gone. Within 24 hours after the first wave of SMS, you must enter your email address at the latest. And immediately call Whatsapp yourself.
Alternatively, you can of course use the attack as an opportunity to look for alternatives to the messenger. You can find the best in this text.
Also read:
“We finally no longer understand each other” – How Whatsapp changed our communication
This is why Whatsapp is the popular shoppers’ favorite app
Whatsapp: You can use these tricks to get everything out of Messenger
“Unapologetic pop culture trailblazer. Freelance troublemaker. Food guru. Alcohol fanatic. Gamer. Explorer. Thinker.”
