A researcher spotted a trivial way to trigger account deactivation for any target WhatsApp account. Interestingly, WhatsApp officials quickly addressed the security lapses shortly after his report, making malicious remote account deactivations somewhat difficult.
WhatsApp Remote Account Deactivation Threat Applied To Anyone
In a recent tweet, ESET security researcher Jack Moore pointed out how he could deactivate any WhatsApp account within minutes without further verification.
The flaw didn’t exist because of a code lapse or a vulnerability. Instead, it existed in how an adversary abuses an otherwise straightforward procedure – something most criminal hackers love to do!
Specifically, WhatsApp allowed users to quickly lock their WhatsApp accounts by requesting account deletion following a device loss or theft. The procedure merely required the user to email WhatsApp support, mentioning the desired WhatsApp number in the international format, with the phrase “Lost/Stolen: Please deactivate my account.” The service would then begin the account deactivation immediately.
However, that’s where the problem existed. As Moore highlighted, WhatsApp employed no further verification before initiating account deactivation. So, an adversary could abuse this feature by sending an email with the target user’s phone number from any random email address. (WhatsApp won’t verify the email address as well.)
To demonstrate the problem, Moore tried sending such an email for his own WhatsApp account. He then quickly got the response from WhatsApp, confirming account deactivation.
Bug Fixed Sneakily And Swiftly
Following Moore’s tweet, Davey Winder of Forbes also highlighted the matter in his post, ensuring that the matter gets attention. And it seems things worked as intended, as WhatsApp quietly but quickly started fixing the glitch.
According to the updates listed in the post, WhatsApp introduced changes in how the procedure worked. Until the time of writing this story, WhatsApp has seemingly begun sending confirmatory messages to users requesting account deactivation. Besides confirming the safe receipt of the requests, the message asks users to send proof of account ownership, such as a copy of the phone’s bill or contract.
It remains unclear if WhatsApp plans any further steps to keep the account deactivation procedure effective, fast, yet safe for the users.
Nonetheless, Moore advises users to apply two-factor authentication to all WhatsApp accounts, limiting the account deactivation request to be sent from the respective 2FA email address. Indeed, together with WhatsApp’s account ownership verification, adding 2FA could further strengthen users’ account security.
Let us know your thoughts in the comments.