WhatsApp, a popular messaging app known for its end-to-end encryption, had a security flaw that could have allowed attackers to deactivate user accounts without their consent. While end-to-end encryption is a valuable security feature, it requires additional measures to prevent unauthorized access. Fortunately, this vulnerability has been patched.
In some cases, such as when a user’s primary phone is stolen, WhatsApp allows users to deactivate their accounts to prevent misuse remotely. According to WhatsApp’s support documentation, users could email the phrase “Lost/Stolen: Please deactivate my account” and their phone number in an international format. While this may have been sufficient for a company with a limited user base, it needed to be improved for WhatsApp, which serves billions of users worldwide.
The vulnerability could have been exploited by attackers who obtained a user’s phone number. They could then send the email to WhatsApp, and the account would be deactivated without the user’s knowledge or consent. This could have allowed attackers to access the user’s messages, contacts, and other data.
WhatsApp has since patched the vulnerability. Users should update their app to the latest version to protect themselves from this and other potential security threats.
Jake Moore, ESET’s Global Cybersecurity Advisor, pointed out the flaws in this process in our imperfect world. Notably, WhatsApp’s system is fully automated and needs verification mechanisms to confirm that the email sender owns the associated WhatsApp account. As a result, anyone who knows your phone number could create a disposable email address and request the deactivation of your account without your knowledge.
Cybercriminals with expertise could exploit this flaw on a larger scale by randomly using automated scripts to deactivate WhatsApp accounts. They might repeatedly perpetuate denial of service (DOS) attacks until innocent victims pay to regain access to their accounts. In addition, these attackers could steal contact information to target more individuals or delete conversations irretrievably unless a recent WhatsApp backup existed.
Fortunately, Meta, the parent company of WhatsApp, has taken note of this flaw—perhaps prompted by an overwhelming influx of deactivation requests. As a result, immediate account deactivation has been turned off. For users affected by such an attack, support documentation provides instructions on recovering deactivated accounts and retrieving unread messages within 30 days.
While we appreciate WhatsApp’s prompt response, the deactivated account feature was a remnant of the early days when WhatsApp was a developing application. The feature was likely removed because it was not used often and was considered unnecessary to the company.
However, in light of recent events, it is clear that the feature is needed to protect users’ privacy. The cybersecurity advisor proposed that WhatsApp reintroduce the system but only consider deactivation requests from emails associated with the respective WhatsApp account owners.
This would ensure that only the account owner could deactivate their account, preventing unauthorised users from doing so. He also suggested making two-step verification mandatory for all WhatsApp accounts rather than an optional feature currently. This would add an extra layer of security to accounts, making it more difficult for hackers to access them. from @thetechkatha YouTube and @thetechkatha’s Instagram.
Given this revelation, we will closely monitor how WhatsApp enhances its account deactivation systems, emphasising reinforcing security measures and protecting user accounts.Stay updated with our latest articles by following us on Google News, Facebook, Telegram, and Twitter. We will continue to bring you such informative content.