There's no indication that it's being used in the wild.WhatsApp remains one of the most popular ways of exchanging instant messages for free, but that's not to say that everyone is safe on the platform. The proof-of-concept attack was first reported by Forbes from security researchers Luis Marquez Carpintero and Ernesto Canales Perena. Confidential text messages and contacts are not exposed. The results are disturbing, but at the very least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account. WhatsApp 'verifies' this with a reply email, and suspends your account without any input on your end. Here's where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. After multiple repeated and failed attempts, your login is locked for 12 hours. They can't verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. This newly-discovered flaw uses two separate vectors. At the time of writing there's no solution for this issue. It's possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. An anonymous reader writes: If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend.
0 kommentar(er)
