TechGuard Blog

Hackers Can Ban Your WhatsApp Account Remotely – All They Need Is Your Number

A new vulnerability in WhatsApp allows hackers to suspend and even ban your account without ever needing to access it. That’s concerning coming from a platform with over 2 billion users. The attack is also not very sophisticated either, in fact, anyone could do it just by following a simple procedure.

The security researchers who discovered the vulnerability, Luis Márquez Carpintero and Ernesto Canales Pereña, explained that the flaw has existed for quite some time. It even works if you have two-factor authentication enabled.

Initially reported on Forbes, The attack works like this:

  • the perpetrator downloads WhatsApp onto a device
  • They then use your phone number to attempt a log-in, prompting WhatsApp to send an authentication code to your phone.
  • Not having access to your device or the code, the hacker makes numerous requests to the point that WhatsApp will temporarily ban your account for 12 hours.

Annoying, but okay, so what? I accidentally lock myself out of accounts all the time when I can’t remember the passwords. Isn’t the lock-out process supposed to protect your account from these situations? Well, yes, it should, but there’s another layer to this. You see, the hacker can then email WhatsApp support with your phone number, pretending to be you. They can claim the device was lost or stolen and ask to have the phone number deactivated from the app. Strangely, this process requires NO extra verification to ensure the emailer is who they claim to be, and it seems to be automated, so WhatsApp then sends a reply stating that your account has been DEACTIVATED.

You are none the wiser until you try to use WhatsApp and get kicked from your account. You will get a notification that reads,

“Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”

Alright, crisis averted. You didn’t deactivate your account, so just verify your phone number and get your account back, right? Well, not so fast. Remember the 12-hour lock-out? Yep, it’s still in effect, and there’s nothing you can do. Oh, and the hacker can keep locking you out until WhatsApp basically short-circuits, and the timer goes from 12 hours to -1 seconds, essentially stalling the app indefinitely.

There have been no reports of anyone exploiting this vulnerability yet, but the risks it poses can’t be ignored. There are many reasons why someone would want to blackmail users from losing data or keep them from accessing such a huge communication platform. WhatsApp has not confirmed whether it will address the vulnerability, so the best thing you can do is enable two-factor authentication and make sure your email address is attached to your account. Unfortunately, there is no concrete solution to avoid the exploitation of this vulnerability. However, the more ways you have to verify yourself will ensure customer support can help as much as possible if you were to become a victim of this attack.

Written by Elizabeth Dasenbrock

Elizabeth Dasenbrock is a marketer/graphic designer whose mission has always been to creatively express stories and ideas. Her skill set allows her to convey concepts to particular audiences in a visually appealing way. At TechGuard, she works on the marketing team with a focus on graphic design. In her free time, she can usually be found working on personal creative projects, tending to her houseplants, or spending time with friends and family.