Attackers Can Now Remotely Deactivate WhatsApp on Your Phone (forbes.com) 52
"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..."
The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.
The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...
Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."
Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."
But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.
The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.
The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...
Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."
Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."
But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.
I'd call that (Score:5, Insightful)
a public service
Re: (Score:2, Redundant)
And personally I don't worry because I'm not using that, Instagram or Facebook anyway.
Too many anti-social medias around these days.
Re: (Score:2)
Ah yes, another american who has no idea what WhatsApp is
TOS violation! (Score:5, Funny)
OMG, it violates the TOS, I'm sure no bad guys would dare do that!
TOS violation!-Power of the press...release. (Score:3)
Stand back now. It's going to unleash...the press release! Now I feel sorry for the bad guys.
Re: (Score:2)
Re: (Score:2)
I'm thinking it was the Deep State. You know how tricky they can be- so tricky that literally no one can find them.
Scripting possible? (Score:5, Insightful)
Can someone create a script for this and start running through all phones with WhatsApp on them? For testing purposes only.
Re:Scripting possible? (Score:5, Funny)
Maybe use the phone numbers from the Facebook leak for extra irony?
if it only effects WhatsApp (Score:1, Offtopic)
Re: (Score:1)
that's the fucking point captain dick, he isn't special
Re: (Score:3)
Not being special isn't a justification for attacking someone or calling him out.
Now it's true the fact that this issue doesn't affect the poster doesn't mean it's not important to *someone*. But everyone does this. Everyone is parochial at least until it's pointed out to them.
Re: (Score:2)
No, you can't be like me. Even I have trouble doing it sometimes.
With that said, I use my phone for making calls, taking calls, and occasionally snapping a picture. That's about it.
It must be weird for someone like you to see someone like me, someone who's not hunched over a shiny rectangle 24/7 keeping up with whatever the Kartrashians are doing today.
But hey, you do you.
Re: (Score:2)
Re: (Score:3)
When my kids went overseas in a foreign exchange program, I had to install WhatsApp because the school used it for all communications leading up to and during the exchange. My experience with the app was that (a) it was in fact quite useful in that context but (b) it achieved that usefulness in the most annoying way imaginable.
To be fair to the app, my problem was mainly with the way people used it. If they had used WhatsApp only to send actual news or to ask substantive questions, I would have been fully
Re: (Score:2)
What are we supposed to do with the 20,000 already printed mats then?
Re: (Score:2)
How about jumping from the fact someone is annoying to the conclusion that they have to be useless? :)
Re: (Score:2)
Special boy, do you even know what Whatsapp is?
Remote surgery finally safe & secure (Score:3)
Here, I corrected the headline for you!
Another problem (?) with the exploit (Score:3)
Re: Another problem (?) with the exploit (Score:5, Insightful)
That is victim blaming, to be frank.
You imply that they chose. Or even had a choice. (A popular thing in American culture, I noticed.) That is not how the "average Joe" works. ...". (Aka viral marketing and click buying.)
It was "Girlfriend is on WA only. New boss is too. Use WA or be the recluse in his basement.". And every now and then, it's "They say that WA is the most popular one. It's the first one in the list. I dunno, so
Only we have so many geek friends or no friends at all, to be able to do this.
The best we can do, is at least have the spine to makeour closest peers use Signal. Girlfriend, parents, children (!!) the like.
And to stop being so damn black-eyed and start facing the fact that "they" (the businesses) really *are* flooding us with whatever they want being a thing, even though it isn't, until it actually is.... And really *are* manipulating us all day every day. (That's what communication is.) And free will really is a convenient illusion, especially for social lifeforms where most knowledge is hesrsay.
_ _ _
Oh, and: EVERYONE who keeps downmodding comments instead of telling people where they went wrong, *is a complete piece of shit*, a coward of cowards, an active harm to humanity, and should go back to Reddit.
Re: (Score:3)
>
You imply that they chose. Or even had a choice. (A popular thing in American culture, I noticed.) That is not how the "average Joe" works. It was "Girlfriend is on WA only. New boss is too. Use WA or be the recluse in his basement.". And every now and then, it's "They say that WA is the most popular one. It's the first one in the list. I dunno, so ...". (Aka viral marketing and click buying.).
That's the crux of the problem; it's easy to say "switch to this" but hard to convince people to do it. I can't tell my clients I don't use X if I want to keep them as clients, which I do because it pays the bills. Until they feel pain they will continue to do whaat they always do; and I'm guessing WhatsApp will fix this exploit if only to avoid the bad PR from a massive locking out of accounts.
Re: Another problem (?) with the exploit (Score:2)
Move fast and break things... (Score:3, Insightful)
Re: Move fast and break things... (Score:2)
I thought that was the corner stone of American culture / capitalism...
(Especially worrying since the other corner stone is warfare. ;)
Re: (Score:2)
Most Americans are like everyone else - hardworking, family-oriented, living out their lives in states of greater or lesser contentment. Most of us don't like war, we're not greedy, we don't seek fame. However, because America does have something uniqu
What did you expect (Score:2)
What did you expect-bean express. (Score:2)
Well I've moved on. Let's see a can of beans do that.
WhatsApp is not special (Score:3)
It isn't like it was chosen out of merit.
It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)
Evil tongues say those were bought and an ad campaign.
It's literally just a XMPP knock-off (some say with code copied from open-source projects) with lock-in added (and federation removed). Its original "encryption" literally served no other purpose. It certainly wasn't anything but trivial to crack. And the ability to work without a permanently open port, by using a "post office"-like server certainly wasn't new (see: e-mail), not even in the mobile messenger world.
So your expectation that it should be special, just because it got so many users, is as unfair and unwarranted as expecting Flappy Bird to have good graphics.
Re: (Score:3)
It isn't like it was chosen out of merit. It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)
The value of a social contact app is directly proportional to the number of people in your social group who use it. What'sApp is popular because a lot of people use it. A lot of people use it because it is popular.
There is no sophistication at WhatsApp either (Score:2)
I mean, obviously WhatsApp does not have people that have the slightest bit of imagination when it comes to attack vectors. What a fail.
Lol (Score:2)
I guess someone works for the competition?
This is an example of a silly mistake that people make all the time. Ask any online game designer: whenever you release a new feature, your user base is going to try and exploit it in ways you have't foreseen. They're usually successful.
Twitter is even dumber. I have a pretty generic gmail address that people are always using by mistake. Apparently someone si
Re: (Score:1)
Try a password reset for your email address on https://twitter.com/account/be... [twitter.com] .
Re: (Score:2)
You'd think, wouldn't you? Except when you enter your e-mail address, the next screen asks for your username. If you click "I don't have access to this information" then it takes you to a help screen that gives you a few options, all of which have username as a required field. If you fill it out and put a dummy in the username field, Twitter help closes the ticket automatically.
I chased around their system for a while, but it seems to be a neat little trap. If your e-mail address (or phone number, I assume)
Right (Score:2)
Stupid stuff like this is why I'm staying with Apple's iMessage system. You can shout "lock-in" all you want, but they're not Google and they're not Facebook and you'll never convince me to switch to something else.
Re: (Score:2)
You'll never convince me to buy an iPhone just to talk to you.
Re: (Score:2)
Of course not! We don't even know each other, it wouldn't make any sense for either of us!
Friggin' Hilarious (Score:2)
Okay, that's funny. Not surprising or unexpected, but funny.
It'd be like if we found that the presidential launch codes to our nuclear missiles was "00000000", ha ha wouldn't that be funny as hell?
( https://en.wikipedia.org/wiki/... [wikipedia.org] )
This is cancel culture (Score:2)
One way to get it fixed (Score:2)
Write a script to block every phone number in the recent Facebook data leak.
When millions of users start complaining, something will get done.
Surprising Amount of WhatsApp Hate (Score:2)
I'm rather surprised at the amount of WhatsApp hate. Many accusing it of being technically inept and worthless.
I disagree. For me WhatsApp is a VERY easy to use and fairly clever messaging App. It provides cross platform toll bypassing end-to-end encrypted texting, VoIP, and video, that just works and just works quite well.
I feel that it was one of the first to do all this. When WhatsApp rose to prominence and hit critical mass, services like Skype were not as easy on mobile devices, didn't have end to end
Re: (Score:2)
The hate comes from american nerds who have no idea what WhatsApp is and hate it just for being a Facebook product.
Americans don't use Whatsapp, they have no idea it was an app unrelated to facebook for almost a DECADE. And they have no idea it's just another instant messenger.
These imbeciles believe it's a "social media platform". But then again, there are IMBECILES in this site who propose that email should be used instead of instant messaging. Completely missing the point.
Disable Windows computers remotely (Score:2)
I remember running WinNuke [wikipedia.org] once or twice. Honestly the Windows computer in question needed to be taken off-line, as a public service.
With the proliferation of messaging networks, it's a wonder that anyone is able to get together online anymore. We even made a free, well documented protocol for instant messaging and public-subscribe systems. The big players briefly used it then they dropped it because nobody could agree to any new extensions. It fell short on being able to pass custom emoticons and establish
WhatsApp. ? (Score:1)