Hackers Deactivate WhatsApp

It has been reported that any individual could potentially deactivate a WhatsApp account by sending an email, and currently, there is no known method to prevent this from happening. This information has been shared with all WhatsApp users.

The fact that WhatsApp offers complete end-to-end encryption (E2EE) contributes in some way to its popularity as one of the most popular messaging services available.

However, if E2EE isn’t backed by strong safeguards against unauthorized access to user accounts, it is ineffective as a standalone security feature.

Particularly, WhatsApp has made it simple for users to deactivate their accounts. Yet, as one top security expert has cautioned, WhatsApp may have exposed every user to an all-too-simple denial of service attack by simplifying the procedure a bit too much.

WhatsApp Account Deactivation Via Simple Email

According to Jake Moore, the global cybersecurity advisor at ESET and a former law enforcement head of digital forensics, it allows anybody with your phone number, including a malicious actor or just about anyone else, to remotely deactivate your WhatsApp account.

When a phone was lost or stolen, Moree posted a screenshot of the WhatsApp support FAQ. He tweeted saying “So let me get this right, I can type in ANY number and you will deactivate that account?”

WhatsApp instructions work for anyone wanting to deactivate your account

The account will be immediately deactivated, according to WhatsApp, by simply emailing the words “Lost/Stolen: Please deactivate my account” which also contains the phone number connected to that account to a given email address.

This deactivation request, according to Moore, might come from any email address, not simply the one belonging to the account holder.

The account remains active after the deactivation request is submitted, and your contacts may still view your profile. Undoubtedly, they can still message you.

For up to 30 days following the deactivation, messages will be kept as pending. This is crucial since your account will be terminated if you don’t revive it within those 30 days.

By building a script that repeatedly sends the deactivation email over 30 days, this could be used to carry out a denial of service attack against a user, as Moore and others noted in the Twitter thread.

WhatsApp Has Modified The Deactivating Procedure

It appears that, at least for a while, the instantaneous aspect of applying a deactivation request may have been halted.

Hence, WhatsApp seems to have finally appropriately backtracked from the automatic and instant termination of accounts.

WhatsApp has now changed the deactivation process

Users now receive a follow-up message after receiving the notice mentioned above, asking for more account ownership proof before a deactivation may occur. Documentation, such as a copy of the phone bill or contract, is required for such verification.

The account could be deactivated for 30 days and then deleted if not reactivated

Mitigation

Using the deactivation email approach, a user may protect themselves against an attacker denying them access to their WhatsApp account.

Two-step verification is offered to all WhatsApp accounts, but this is not enabled by default which remains a problem for hijacked accounts”, Moore said.

“When two-step verification is turned on, an email address is required so naturally this could also be the only email address that enables the deactivation method.”

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.