There are two parts to this vulnerability, as described by the report. The first is how WhatsApp is installed on any device. For instance, when you install WhatsApp on your phone, you’ll receive an SMS code to verify the SIM card and the number. The same thing can be done by a hacker too—install WhatsApp on their phone using your phone number. At this stage, you will start to receive six-digit codes on SMS suggesting someone has requested for the code for installing WhatsApp on their phone. There is nothing you can do, and WhatsApp on your phone continues to work normally for the time being. These codes will arrive repeatedly, since that is part of the process of the hack. At one stage, WhatsApp’s verification process will limit the number of codes that can be sent and will restrict the ability to generate more codes for a period of 12 hours. During this time, your WhatsApp continues to work absolutely normally. What you shouldn’t however be doing at this stage is to deactivate WhatsApp on your phone and attempt to reinstall it. You will not be able to generate a code. This vulnerability is expected to impact WhatsApp for Android and WhatsApp for iPhone.
On to the next step. The hacker creates an email ID and then sends an email to email@example.com stating that the phone on which the WhatsApp was installed is stolen or lost and that they need to deactivate the WhatsApp for that number—and this will be your phone number. WhatsApp may confirm your number again on email, but there is no way for them to identify if it’s a hacker sending these emails, or the genuine owner. After a while, the WhatsApp for your phone number will be deactivated. You’ll see the “Your phone number is no longer registered with WhatsApp on this phone” notification when you open the app next. It goes on to say that this might be because WhatsApp has been installed on another phone. Be very alarmed at this stage.
The logical course of action would be to try and set up WhatsApp again on your phone. You enter your number and wait for the verification code. The report suggests that no code will arrive on SMS and the app will tell you “Wait before requesting an SMS or a call”. That’s because your phone is now subject to the same 12-hour countdown with limited re-verification opportunities. “But suddenly you remember that you received unexpected WhatsApp codes an hour or two earlier. You retrieve the most recent SMS and enter the code into WhatsApp. But even this will not work. “You have guessed too many times,” your WhatsApp tells you. Obviously, you haven’t guessed at all. But your phone has the same restrictions as the attacker’s. You can’t request a new code, you can’t enter the last code, you are stuck,” says the report.
After the 12-hour mark has elapsed, you’ll have two paths and will be able to walk down one depending on how lucky you are. If the attack stops here, you’ll be able to register WhatsApp on your phone and life can be normal again. But if not, then more trouble awaits. If the attacker waits for the 12-hour period and sends a mail to WhatsApp again, you’ll not be able to set up WhatsApp on your phone even if you receive the text messages with codes. The researchers indicate that WhatsApp breaks down and gets confused after the third 12-hour cycle and instead of a countdown, simply says “try again after -1 seconds”. The same treatment is given to your phone and to the attacker’s phone. And herein lies the problem. If the attacker waits until now before emailing WhatsApp yet again to deactivate your number, there will be no way for you to reregister WhatsApp on your phone when you are kicked out of your app. “It’s too late,” the researchers told Forbes.
The problem with WhatsApp verification architecture is that the SMS codes and the automated email support doesn’t have any second layer to check for authenticity and is very much open for abuse. The researchers also point out that this sort of attack doesn’t need any sophistication to implement. “There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” ESET’s Jake Moore told Forbes. WhatsApp simply links to a phone number and doesn’t have a trusted device policy that links it to a device ID or the operating system it was last installed and verified on.
Unfortunately, WhatsApp’s response to Forbes’ Zak Doffman doesn’t really elicit much confidence. All they say is, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.” Really, if your WhatsApp has been hacked, the knowledge that the person responsible for this unsophisticated attack is in breach of WhatsApp’s terms of service, is scant consolation. The report also says that WhatsApp hasn’t confirmed any plans to fix this vulnerability.