Attackers Can Now Remotely Deactivate WhatsApp on Your Phone

"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..."

The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.

The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...

Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."
Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."

But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.

I'd call that

[Rosco P. Coltrane]

a public service

Re:

[Z00L00K]

And personally I don't worry because I'm not using that, Instagram or Facebook anyway.

Too many anti-social medias around these days.

Re:

[hjf]

Ah yes, another american who has no idea what WhatsApp is

TOS violation!

[AmiMoJo]

OMG, it violates the TOS, I'm sure no bad guys would dare do that!

TOS violation!-Power of the press...release.

[Ostracus]

Stand back now. It's going to unleash...the press release! Now I feel sorry for the bad guys.

Re:

[theshowmecanuck]

Of course they wouldn't. The good guys did this. The very good guys.

Re:

[JustAnotherOldGuy]

I'm thinking it was the Deep State. You know how tricky they can be- so tricky that literally no one can find them.

Scripting possible?

[quonset]

Can someone create a script for this and start running through all phones with WhatsApp on them? For testing purposes only.

Re:Scripting possible?

[luvirini]

Maybe use the phone numbers from the Facebook leak for extra irony?

if it only effects WhatsApp

[FudRucker]

then i dont care because i dont have facebook or whatsapp or messenger or instagram or any of that social media on my phone, i use my phone as a tool (phone calls, txt msgs, map when i need to find something, to me my phone is not a social media toy,

Re:

[Osgeld]

that's the fucking point captain dick, he isn't special

Re:

[hey!]

Not being special isn't a justification for attacking someone or calling him out.

Now it's true the fact that this issue doesn't affect the poster doesn't mean it's not important to *someone*. But everyone does this. Everyone is parochial at least until it's pointed out to them.

Re:

[JustAnotherOldGuy]

No, you can't be like me. Even I have trouble doing it sometimes.

With that said, I use my phone for making calls, taking calls, and occasionally snapping a picture. That's about it.

It must be weird for someone like you to see someone like me, someone who's not hunched over a shiny rectangle 24/7 keeping up with whatever the Kartrashians are doing today.

But hey, you do you.

Re:

[theshowmecanuck]

I don't know why this is offtopic. This is a site that used to be for nerds who know. Nerds who know, know whatsapp and the others are mostly shite that try to get people to overuse them instead of actually knowing who you are talking to. And for full honesty I do use Facebook to keep in contact * with the 60 or so people I actually know in real life * and care to be friends with (and even then I am reevaluating whether that is too many). But mostly for family. And yes, Slashdot is a kind of social media si

Re:

[hey!]

When my kids went overseas in a foreign exchange program, I had to install WhatsApp because the school used it for all communications leading up to and during the exchange. My experience with the app was that (a) it was in fact quite useful in that context but (b) it achieved that usefulness in the most annoying way imaginable.

To be fair to the app, my problem was mainly with the way people used it. If they had used WhatsApp only to send actual news or to ask substantive questions, I would have been fully

Re:

[Mal-2]

So you can't jump from the fact something is annoying to the conclusion that it has to be useless.

What are we supposed to do with the 20,000 already printed mats then?

Re:

[6Yankee]

How about jumping from the fact someone is annoying to the conclusion that they have to be useless? :)

Re:

[hjf]

Special boy, do you even know what Whatsapp is?

Remote surgery finally safe & secure

[Dirk Becher]

Here, I corrected the headline for you!

Another problem (?) with the exploit

[Registered Coward v2]

No doubt some scammers will decide to exploit this and send emails to the victims demanding payment to stop locking out the account. All the need is a list of phone numbers / emails and they're in business. The problem is there is no limit to how many scammers can exploit this, so even if a victim pays one they'd still be blocked if another one uses this exploit against them as well. Automated attacks could basically shutdown some percentage of WhatsApp accounts permanently.

Re: Another problem (?) with the exploit

[BAReFO0t]

That is victim blaming, to be frank.

You imply that they chose. Or even had a choice. (A popular thing in American culture, I noticed.) That is not how the "average Joe" works.
It was "Girlfriend is on WA only. New boss is too. Use WA or be the recluse in his basement.". And every now and then, it's "They say that WA is the most popular one. It's the first one in the list. I dunno, so ...". (Aka viral marketing and click buying.)

Only we have so many geek friends or no friends at all, to be able to do this.

The best we can do, is at least have the spine to makeour closest peers use Signal. Girlfriend, parents, children (!!) the like.

And to stop being so damn black-eyed and start facing the fact that "they" (the businesses) really *are* flooding us with whatever they want being a thing, even though it isn't, until it actually is.... And really *are* manipulating us all day every day. (That's what communication is.) And free will really is a convenient illusion, especially for social lifeforms where most knowledge is hesrsay.

_ _ _
Oh, and: EVERYONE who keeps downmodding comments instead of telling people where they went wrong, *is a complete piece of shit*, a coward of cowards, an active harm to humanity, and should go back to Reddit.

Re:

[Registered Coward v2]

>

You imply that they chose. Or even had a choice. (A popular thing in American culture, I noticed.) That is not how the "average Joe" works. It was "Girlfriend is on WA only. New boss is too. Use WA or be the recluse in his basement.". And every now and then, it's "They say that WA is the most popular one. It's the first one in the list. I dunno, so ...". (Aka viral marketing and click buying.).

That's the crux of the problem; it's easy to say "switch to this" but hard to convince people to do it. I can't tell my clients I don't use X if I want to keep them as clients, which I do because it pays the bills. Until they feel pain they will continue to do whaat they always do; and I'm guessing WhatsApp will fix this exploit if only to avoid the bad PR from a massive locking out of accounts.

Re: Another problem (?) with the exploit

[aRTeeNLCH]

Agreed on the content and the modding comment. In Switzerland, WhatsApp has been explicitly forbidden for official use in schools, due to the age requirement under 16 to get parental agreement. Agreement to get the kids' data, of course. So we told everyone Signal would be okay. Luckily, our first one is not unpopular, so all her friends just got Signal. Many also have WhatsApp, a few are only on Signal. I doubt it would have worked fine if our second kid would have been first up...

Move fast and break things...

[memory_register]

This problem is right in line with Silicon Valley ethics. Gotta make those dolla dolla bills, even if hackers can hold someones account for ransom or just break it for the lulz. That might be the only reason this finally gets fixed - if people lose access, the data (and money) stops flowing.

Re: Move fast and break things...

[BAReFO0t]

I thought that was the corner stone of American culture / capitalism...

(Especially worrying since the other corner stone is warfare. ;)

Re:

[memory_register]

I'm guessing you get most of your information about America from Hollywood or our news outlets. It's the equivalent of thinking everyone in Australia is Crocodile Dundee or all Englishmen wear bowler hats and three-piece suits (though that does sound cool).

Most Americans are like everyone else - hardworking, family-oriented, living out their lives in states of greater or lesser contentment. Most of us don't like war, we're not greedy, we don't seek fame. However, because America does have something uniqu

What did you expect

[Statharas]

Facebook doesn't even have customer support. You're not the customer. You're the product.

What did you expect-bean express.

[Ostracus]

Well I've moved on. Let's see a can of beans do that.

WhatsApp is not special

[BAReFO0t]

It isn't like it was chosen out of merit.
It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)
Evil tongues say those were bought and an ad campaign.

It's literally just a XMPP knock-off (some say with code copied from open-source projects) with lock-in added (and federation removed). Its original "encryption" literally served no other purpose. It certainly wasn't anything but trivial to crack. And the ability to work without a permanently open port, by using a "post office"-like server certainly wasn't new (see: e-mail), not even in the mobile messenger world.

So your expectation that it should be special, just because it got so many users, is as unfair and unwarranted as expecting Flappy Bird to have good graphics.

Re:

[XXongo]

It isn't like it was chosen out of merit. It was chosen due to the Flappy Bird effect. (It was chosen because people were told it was chosen by people.)

The value of a social contact app is directly proportional to the number of people in your social group who use it. What'sApp is popular because a lot of people use it. A lot of people use it because it is popular.

There is no sophistication at WhatsApp either

[gweihir]

I mean, obviously WhatsApp does not have people that have the slightest bit of imagination when it comes to attack vectors. What a fail.

Lol

[ceoyoyo]

Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals

I guess someone works for the competition?

This is an example of a silly mistake that people make all the time. Ask any online game designer: whenever you release a new feature, your user base is going to try and exploit it in ways you have't foreseen. They're usually successful.

Twitter is even dumber. I have a pretty generic gmail address that people are always using by mistake. Apparently someone si

Re:

[hankwang]

Try a password reset for your email address on https://twitter.com/account/be... [twitter.com] .

Re:

[ceoyoyo]

You'd think, wouldn't you? Except when you enter your e-mail address, the next screen asks for your username. If you click "I don't have access to this information" then it takes you to a help screen that gives you a few options, all of which have username as a required field. If you fill it out and put a dummy in the username field, Twitter help closes the ticket automatically.

I chased around their system for a while, but it seems to be a neat little trap. If your e-mail address (or phone number, I assume)

Right

[DontBeAMoran]

Stupid stuff like this is why I'm staying with Apple's iMessage system. You can shout "lock-in" all you want, but they're not Google and they're not Facebook and you'll never convince me to switch to something else.

Re:

[hjf]

You'll never convince me to buy an iPhone just to talk to you.

Re:

[DontBeAMoran]

Of course not! We don't even know each other, it wouldn't make any sense for either of us!

Friggin' Hilarious

[JustAnotherOldGuy]

Okay, that's funny. Not surprising or unexpected, but funny.

It'd be like if we found that the presidential launch codes to our nuclear missiles was "00000000", ha ha wouldn't that be funny as hell?

( https://en.wikipedia.org/wiki/... [wikipedia.org] )

This is cancel culture

[fibonacci8]

At least the way Fox News uses it.

One way to get it fixed

[viperidaenz]

Write a script to block every phone number in the recent Facebook data leak.

When millions of users start complaining, something will get done.

Surprising Amount of WhatsApp Hate

[SlashbotAgent]

I'm rather surprised at the amount of WhatsApp hate. Many accusing it of being technically inept and worthless.

I disagree. For me WhatsApp is a VERY easy to use and fairly clever messaging App. It provides cross platform toll bypassing end-to-end encrypted texting, VoIP, and video, that just works and just works quite well.

I feel that it was one of the first to do all this. When WhatsApp rose to prominence and hit critical mass, services like Skype were not as easy on mobile devices, didn't have end to end

Re:

[hjf]

The hate comes from american nerds who have no idea what WhatsApp is and hate it just for being a Facebook product.

Americans don't use Whatsapp, they have no idea it was an app unrelated to facebook for almost a DECADE. And they have no idea it's just another instant messenger.

These imbeciles believe it's a "social media platform". But then again, there are IMBECILES in this site who propose that email should be used instead of instant messaging. Completely missing the point.

Disable Windows computers remotely

[OrangeTide]

I remember running WinNuke [wikipedia.org] once or twice. Honestly the Windows computer in question needed to be taken off-line, as a public service.

With the proliferation of messaging networks, it's a wonder that anyone is able to get together online anymore. We even made a free, well documented protocol for instant messaging and public-subscribe systems. The big players briefly used it then they dropped it because nobody could agree to any new extensions. It fell short on being able to pass custom emoticons and establish

WhatsApp. ?

[bsdetector101]

What is it ? lol