The messaging belonging to Facebook is the subject of a fraud which allows its users to be deprived of their account, by using their phone number.
It is a clever mix of double authentication and a race against time. A technique discovered by two security researchers, cited by Forbes, allows you to get your hands on WhatsApp accounts, without any real recourse possible from their holders.
How? ‘Or’ What? The process takes place in two stages, each of which focuses on a weak point of the application to two billion users. When creating a WhatsApp account, or installing it on a new phone, the network offers to activate two-step verification, which allows you to secure your account by sending an SMS to your phone.
A six-digit code, contained in this SMS, is required to activate the application. Clever kids can nevertheless bet on a so-called brute force strategy to generate these same codes. All they need to do is enter the phone number of the account they want to recover. The user of the account will therefore receive a series of SMS on his mobile phone … until WhatsApp blocks this system, after too many authorized attempts.
The problem: The restrictions that hackers are subject to also apply to the account holder. As a result, the sending of SMS by WhatsApp is blocked for 12 hours. It’s up to hackers to move on to the second step, during these same 12 hours: sending an email to [email protected], mentioning a lost or stolen account. The idea is to deactivate the phone number associated with the WhatsApp account in question. The sending of SMS is blocked, the response will be by email, the account is now also temporarily blocked.
From then on, and for no apparent reason, the user will receive a notification, including the following message: “Your phone number is no longer registered with WhatsApp on this phone. This may be due to the fact that you have registered it on a other phone. If you haven’t, verify your phone number to sign in to your account again. “
WhatsApp can then ask to re-enter its phone number. But the SMS blocking is still valid: no SMS reaches the user, except a message on WhatsApp indicating that it is still necessary to wait.
After 12 hours, and if the hacker really wants to block an account, he just has to repeat the operation. After three 12-hour periods, and if the WhatsApp account holder proves to be less responsive than its hackers, the account will be completely deactivated because the application considers it a fraudulent account.
Contacted by Forbes, WhatsApp has recognized the problem without providing a solution yet. WhatsApp nevertheless offers its users to “provide an email address at the time of two-step verification” to help the support team. Which seems ridiculous.