Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Social Networks Communications Facebook Security

Attackers Can Now Remotely Deactivate WhatsApp on Your Phone (forbes.com) 52

"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..."

The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.

The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...

Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."

Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."

But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.
This discussion has been archived. No new comments can be posted.

Attackers Can Now Remotely Deactivate WhatsApp on Your Phone

Comments Filter:
  • I'd call that (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Sunday April 11, 2021 @06:05AM (#61260534)

    a public service

    • Re: (Score:2, Redundant)

      by Z00L00K ( 682162 )

      And personally I don't worry because I'm not using that, Instagram or Facebook anyway.

      Too many anti-social medias around these days.

  • by AmiMoJo ( 196126 ) on Sunday April 11, 2021 @06:07AM (#61260540) Homepage Journal

    OMG, it violates the TOS, I'm sure no bad guys would dare do that!

  • by quonset ( 4839537 ) on Sunday April 11, 2021 @06:09AM (#61260542)

    Can someone create a script for this and start running through all phones with WhatsApp on them? For testing purposes only.

  • then i dont care because i dont have facebook or whatsapp or messenger or instagram or any of that social media on my phone, i use my phone as a tool (phone calls, txt msgs, map when i need to find something, to me my phone is not a social media toy,
    • I don't know why this is offtopic. This is a site that used to be for nerds who know. Nerds who know, know whatsapp and the others are mostly shite that try to get people to overuse them instead of actually knowing who you are talking to. And for full honesty I do use Facebook to keep in contact * with the 60 or so people I actually know in real life * and care to be friends with (and even then I am reevaluating whether that is too many). But mostly for family. And yes, Slashdot is a kind of social media si
    • by hey! ( 33014 )

      When my kids went overseas in a foreign exchange program, I had to install WhatsApp because the school used it for all communications leading up to and during the exchange. My experience with the app was that (a) it was in fact quite useful in that context but (b) it achieved that usefulness in the most annoying way imaginable.

      To be fair to the app, my problem was mainly with the way people used it. If they had used WhatsApp only to send actual news or to ask substantive questions, I would have been fully

      • by Mal-2 ( 675116 )

        So you can't jump from the fact something is annoying to the conclusion that it has to be useless.

        What are we supposed to do with the 20,000 already printed mats then?

      • by 6Yankee ( 597075 )

        How about jumping from the fact someone is annoying to the conclusion that they have to be useless? :)

    • by hjf ( 703092 )

      Special boy, do you even know what Whatsapp is?

  • by Dirk Becher ( 1061828 ) on Sunday April 11, 2021 @06:33AM (#61260590)

    Here, I corrected the headline for you!

  • by Registered Coward v2 ( 447531 ) on Sunday April 11, 2021 @07:07AM (#61260630)
    No doubt some scammers will decide to exploit this and send emails to the victims demanding payment to stop locking out the account. All the need is a list of phone numbers / emails and they're in business. The problem is there is no limit to how many scammers can exploit this, so even if a victim pays one they'd still be blocked if another one uses this exploit against them as well. Automated attacks could basically shutdown some percentage of WhatsApp accounts permanently.
  • by memory_register ( 6248354 ) on Sunday April 11, 2021 @07:08AM (#61260632)
    This problem is right in line with Silicon Valley ethics. Gotta make those dolla dolla bills, even if hackers can hold someones account for ransom or just break it for the lulz. That might be the only reason this finally gets fixed - if people lose access, the data (and money) stops flowing.
    • I thought that was the corner stone of American culture / capitalism...

      (Especially worrying since the other corner stone is warfare. ;)

      • I'm guessing you get most of your information about America from Hollywood or our news outlets. It's the equivalent of thinking everyone in Australia is Crocodile Dundee or all Englishmen wear bowler hats and three-piece suits (though that does sound cool).

        Most Americans are like everyone else - hardworking, family-oriented, living out their lives in states of greater or lesser contentment. Most of us don't like war, we're not greedy, we don't seek fame. However, because America does have something uniqu
  • Facebook doesn't even have customer support. You're not the customer. You're the product.
  • by BAReFO0t ( 6240524 ) on Sunday April 11, 2021 @08:23AM (#61260730)

    It isn't like it was chosen out of merit.
    It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)
    Evil tongues say those were bought and an ad campaign.

    It's literally just a XMPP knock-off (some say with code copied from open-source projects) with lock-in added (and federation removed). Its original "encryption" literally served no other purpose. It certainly wasn't anything but trivial to crack. And the ability to work without a permanently open port, by using a "post office"-like server certainly wasn't new (see: e-mail), not even in the mobile messenger world.

    So your expectation that it should be special, just because it got so many users, is as unfair and unwarranted as expecting Flappy Bird to have good graphics.

    • by XXongo ( 3986865 )

      It isn't like it was chosen out of merit. It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)

      The value of a social contact app is directly proportional to the number of people in your social group who use it. What'sApp is popular because a lot of people use it. A lot of people use it because it is popular.

  • I mean, obviously WhatsApp does not have people that have the slightest bit of imagination when it comes to attack vectors. What a fail.

  • by ceoyoyo ( 59147 )

    Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals

    I guess someone works for the competition?

    This is an example of a silly mistake that people make all the time. Ask any online game designer: whenever you release a new feature, your user base is going to try and exploit it in ways you have't foreseen. They're usually successful.

    Twitter is even dumber. I have a pretty generic gmail address that people are always using by mistake. Apparently someone si

    • Try a password reset for your email address on https://twitter.com/account/be... [twitter.com] .

      • by ceoyoyo ( 59147 )

        You'd think, wouldn't you? Except when you enter your e-mail address, the next screen asks for your username. If you click "I don't have access to this information" then it takes you to a help screen that gives you a few options, all of which have username as a required field. If you fill it out and put a dummy in the username field, Twitter help closes the ticket automatically.

        I chased around their system for a while, but it seems to be a neat little trap. If your e-mail address (or phone number, I assume)

  • Stupid stuff like this is why I'm staying with Apple's iMessage system. You can shout "lock-in" all you want, but they're not Google and they're not Facebook and you'll never convince me to switch to something else.

  • Okay, that's funny. Not surprising or unexpected, but funny.

    It'd be like if we found that the presidential launch codes to our nuclear missiles was "00000000", ha ha wouldn't that be funny as hell?

    ( https://en.wikipedia.org/wiki/... [wikipedia.org] )

  • At least the way Fox News uses it.
  • Write a script to block every phone number in the recent Facebook data leak.

    When millions of users start complaining, something will get done.

  • I'm rather surprised at the amount of WhatsApp hate. Many accusing it of being technically inept and worthless.

    I disagree. For me WhatsApp is a VERY easy to use and fairly clever messaging App. It provides cross platform toll bypassing end-to-end encrypted texting, VoIP, and video, that just works and just works quite well.

    I feel that it was one of the first to do all this. When WhatsApp rose to prominence and hit critical mass, services like Skype were not as easy on mobile devices, didn't have end to end

    • by hjf ( 703092 )

      The hate comes from american nerds who have no idea what WhatsApp is and hate it just for being a Facebook product.

      Americans don't use Whatsapp, they have no idea it was an app unrelated to facebook for almost a DECADE. And they have no idea it's just another instant messenger.

      These imbeciles believe it's a "social media platform". But then again, there are IMBECILES in this site who propose that email should be used instead of instant messaging. Completely missing the point.

  • I remember running WinNuke [wikipedia.org] once or twice. Honestly the Windows computer in question needed to be taken off-line, as a public service.

    With the proliferation of messaging networks, it's a wonder that anyone is able to get together online anymore. We even made a free, well documented protocol for instant messaging and public-subscribe systems. The big players briefly used it then they dropped it because nobody could agree to any new extensions. It fell short on being able to pass custom emoticons and establish

  • What is it ? lol

Nobody said computers were going to be polite.

Working...