WhatsApp does not come out of the negative headlines. A new security hole has now appeared that basically allows anyone to exclude a user from WhatsApp. The attacker just needs to know the number – and you can’t really defend yourself against it.
WhatsApp: Anyone can lock anyone out
It’s easy to log in to WhatsApp. Download the app, enter your mobile phone number, confirm that you are the right person with the code that you receive via SMS, and you can use your account. It is precisely this simple mechanism that is now fatal to WhatsApp. According to Forbes, attackers can exploit precisely this sequence to exclude cell phone numbers from WhatsApp. You just have to know the cell phone number and try to log in with it. WhatsApp then sends a code to the real owner of the number, but the attacker intentionally enters the wrong code. This will suspend the re-sending of the code for 12 hours.
If the attacker sees that it is no longer possible to resend the code, they set up a fake email address and contact WhatsApp with the claim that the cell phone was lost. WhatsApp then simply locks the user out. There is no process to check that the email address really matches the number. The number can be blocked, but not taken over. But that’s the only positive news.
How can I protect myself against this in WhatsApp?
You can’t do much about the blocking itself at first. But you can make sure that your real email address is stored on WhatsApp so that you can reactivate the account later. To do this, you have to go to WhatsApp Settings, there on account and verification in two steps. Not only activate the PIN there, if you have not already done so but also set an email address. Incidentally, the two-factor authentication is useless in this case.
WhatsApp is aware of the problem, but there is no obligation to change anything because the security gap is probably not being actively exploited. Attackers have no advantage and only work. Nevertheless, you could really annoy people by blocking accounts and the owners basically can’t do anything about it.