This vulnerability was discovered in WhatsApp. This enabled users to simply delete the accounts of other users via email.
WhatsApp is undoubtedly one of the most popular messaging solutions worldwide, not least because of its complete end-to-end encryption (E2EE). But E2EE alone is not enough to ensure the security of user accounts. As the services continue to evolve and security vulnerabilities diminish, a particularly worrying vulnerability in WhatsApp was recently uncovered: anyone could remotely disable a user’s account without their consent. (via: Android Police)
Usually, WhatsApp offers the option to remotely deactivate your account in case your main phone is stolen and you don’t have access to the app. According to WhatsApp’s support documents, an email with the subject “Lost/Stolen: Please deactivate my account” and the full international phone number is sufficient to request deactivation. In an ideal world, this system might work for a company with just a few user accounts, but not for WhatsApp with its billions of users.
WhatsApp: Phone number was enough to have someone else’s account deleted
Meta has since closed the strange vulnerability in WhatsApp.
Image: Getty Images
The WhatsApp deactivation process is fully automated and does not check whether the sender of the email is actually the owner of the account to be deactivated. In such a scenario, it’s easy to imagine someone who knows your phone number creating a temporary email address and requesting that your account be deactivated without your knowledge.
Professional criminals could go one step further and exploit this system on a large scale, using automated scripts to arbitrarily disable WhatsApp accounts. Through repeated denial-of-service (DOS) attacks, they could force innocent victims to pay to access their accounts. Furthermore, they could steal contact information to target more people or simply delete conversations that cannot be restored without recent WhatsApp backup.
Meta is responsive and disables instant account deletions
Luckily, Meta recognized this vulnerability – possibly also due to a high number of deactivation requests. Instant account deactivation has been temporarily suspended. According to the support docs, if you were a victim of such an attack, you can recover your disabled account and all unread messages within 30 days.
WhatsApp’s quick response is commendable, but the now-deprecated feature appears to be a standard implementation from the app’s early days. In a tweet, cybersecurity consultant Jake Moore suggested that WhatsApp should re-enable the system, but should only accept disablement requests from emails linked to actual WhatsApp account holders. In addition, two-factor authentication should be mandatory for all WhatsApp accounts, instead of being optional as it is currently.
Other readers are also interested in: