WhatsApp flaw could get users blocked despite 2FA settings

WhatsApp has been stewing in a pot of bad PR for the past few years but it seems that things have been heating up more recently. Despite that, the messaging service still enjoys millions of users that seem to be more at risk each day as new vulnerabilities and even corporate policies keep popping up. The latest may be one of the most worrisome because it could cause any user to lose access to their account forever even with all the security measures properly in place.

Because tricking users into handing over the keys to their accounts has become almost too easy these days, security experts strongly recommend the use of strong passwords, or at least password generators and managers, and two-factor authentication or 2FA. Together, these strategies protect accounts from getting hijacked, even if hackers get access to the user's password. Unfortunately, they don't protect WhatsApp users from getting blocked from their own accounts.

Forbes reports an admittedly convoluted process where a hacker patiently sets off a chain of events that effectively causes users to be blocked from their account. The process doesn't make use of sophisticated tools or hacking methods and is mostly about patience and brute force. It is, however, made possible allegedly because of certain presumptions and flaws in WhatsApp's processes.

Hackers who know the phone number associated with a WhatsApp account can try activating it on their own phone. Of course, they will fail to do so if the account has 2FA enabled but they can trigger the limit on the number of failed attempts, causing users to be unable to actually activate a new phone in 12 hours. There does seem to be a bug where after the third 12-hour "break", WhatsApp will indefinitely block any attempts to activate the account via 2FA. During that period, the hacker can then fire off an email to WhatsApp requesting the number associated with the account to be deactivated, at which point the user will be asked to authenticate their account again. Since they can't due to the infinite time limit, they're more or less permanently locked out of their accounts unless they can grab hold of WhatsApp support.

WhatsApp has reportedly downplayed the severity of this strategy, warning that users who try to do so will face dire consequences. Of course, hackers who will employ such a technique are not so worried about those anyway. The Facebook company doesn't seem that worried enough to update its processes and systems but, with a user base of millions, it'll probably be forced to do so when this vulnerability starts getting exploited en masse.