CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
WhatsApp messenger app with lock showing WhatsApp account issue with account deactivation
Cyber SecurityNews
·4 min read

Critical WhatsApp Account Vulnerability Addressed: Third-Party Account Deactivations by Email Prompt Verification Changes

Scott Ikeda·August 2, 2023

A critical vulnerability that essentially allowed anyone to deactivate anyone else’s WhatsApp account has been addressed by Meta, with users now required to provide documentation to complete a request of this nature.

A report published by Forbes last week noted that WhatsApp accounts could be deactivated simply by sending a request from any email address, so long as the attacker knew the phone number associated with the account. Going forward, the account deactivation process now involves a follow-up message that requests verification of ownership of the associated phone number.

WhatsApp account deactivation process subject to “denial of service” attacks

Until very recently, a WhatsApp account could be deactivated by emailing the company to indicate that the phone associated with the account had been lost or stolen. That account deactivation email could come from any address; it just needed to include the correct phone number associated with the username. The process appears to be automated, as security researchers that tested it found that the test WhatsApp accounts were deactivated immediately when a request was made from an unfamiliar email address.

Though technically a denial of service attack, this technique did not seem to be put to widespread use as it ultimately amounted to more of an annoyance than anything else. The  account deactivation request does not delete the account, though it could be deleted if the target does not reactivate it within 30 days. But all the user has to do to reactivate the account is log back in as normal. During the deactivation period, contacts remain able to see user profiles and send messages to them.

After Forbes published a report on the vulnerability, WhatsApp made changes that add a new step to the account deactivation process. A request can still be initiated in this way, but the requester will be messaged to ask for some verification of ownership of the phone number associated with the target WhatsApp account (such as a picture of a phone bill or contract).

The logic behind the initial account deactivation policy was likely that if a phone is lost or stolen, the user needs to be able to shut the account down as quickly as possible from whatever communication device is available (for example a computer). The exploitable part of the process likely would not have amounted to more than an occasional prank between people who know each other, but there are possibilities for targeted harassment or plots to permanently remove an account if the attacker is aware that the target is unlikely to log in to their WhatsApp account or receive messages about it for 30 days.

Account deactivation gimmick highlights threats from “creative malice”

While the new WhatsApp account policy offers at least a partial solution to the issue, it may have swung the pendulum a little too far the other way. Users who have legitimately lost their phones or had them stolen may well not have a copy of phone ownership documentation at hand to facilitate a quick deactivation. It remains to be seen if WhatsApp will make further changes to the policy, but one that could be implemented is to only accept instant account deactivation requests from email addresses associated with or whitelisted by that account.

Cybersecurity efforts are rightfully focused on ransomware, fraud and espionage. But acts of malice such as this, that slip through loopholes and oversights in design or policy to have a more limited or focused destructive impact, should not be overlooked. Distributed denial of service (DDoS) attacks that take out business functions have been estimated to cost between several thousand to nearly $100,000 per hour of downtime. The total cost for such an attack can be in the hundreds of thousands of dollars for small businesses, and in the multiple millions for large enterprise-scale companies.

Those costs are for the sort of attacks that take down websites or cripple business communications temporarily, but smaller issues can take a financial toll as well when they are this broadly exploitable.

Steven Spadaccini, VP of Intelligence for SafeGuard Cyber, notes that WhatsApp is growing as a primary communication tool for businesses: “The recent warning to all WhatsApp users that their accounts could be deactivated by anyone sending an email is concerning as the application is fast becoming central to successful business communication. From over 1.8 billion users at the start of 2022, more than 2.24 billion people now communicate and collaborate through WhatsApp. The application’s proximity to the rest of the device, and all the other apps on that device, make it a potential entry-point for serious trouble, and account compromise is a key security concern.”

“Securing users’ account settings is a good place to start, but organizations can go a step further by gaining full visibility into their WhatsApp communications to monitor for malicious activity and establishing WhatsApp security protocols with solutions that will allow them to customize their policies, and quickly apply those policies across the entire channel,” advised Spadaccini.

There is also the question of how seemingly smaller vulnerabilities such as this can be paired together to do bigger damage. A November 2022 data breach of around 500 million WhatsApp accounts involved leaked phone numbers, creating a ready-made database that threat actors could use to look up target contact information. That collection was put up for sale to the general public on the dark web. Issues such as the account deactivation oversight are also more troubling to users when the app bills itself as a privacy tool, and WhatsApp faces strong competition from similar encrypted messaging apps such Signal and Telegram..

 

Tags
Account DeactivationWhatsAppWhatsApp Account
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Logo of Meta in front of WhatsApp showing EU rules for privacy policy
Data ProtectionNews

Following Regulatory Intervention, WhatsApp Agrees to Follow EU Rules on Privacy Policy Updates

March 15, 2023
WhatsApp app icon on a smartphone showing GDPR violations
Data ProtectionNews

WhatsApp Receives €5.5 Million Fine for GDPR Violations

January 30, 2023
Mobile phone on a computer keyboard with the WhatsApp logo showing data leak sold on dark web
Cyber SecurityNews

Nearly 500 Million WhatsApp Records Allegedly Stolen in Data Leak, Offered on Dark Web for a Few Thousand Dollars

December 5, 2022
Whatsapp logo with a padlock showing consumer privacy battle in encryption lawsuit
Data PrivacyInsights

Consumer Privacy Rests on Encryption Lawsuit: WhatsApp’s Legal Battle in India

December 3, 2021
Finger touch smartphone screen with lock showing end-to-end encryption for chat backups
Data PrivacyNews

WhatsApp Adds Additional Layer of Security With End-to-End Encryption for Chat Backups

September 22, 2021
Icon of the WhatsApp app on the screen of a smartphone showing GDPR fine by Irish DPA
Data ProtectionNews

WhatsApp’s $267 Million GDPR Fine Shows Willingness of Irish DPA to Issue Large Penalties

September 7, 2021
WhatsApp app icon on smartphone showing consumer complaints on privacy update
Data PrivacyNews

New EU Consumer Complaints for WhatsApp Over High-Pressure Privacy Update

July 27, 2021
WhatsApp Icon on the screen of a black smartphone showing traceability requirement breaking end-to-end encryption
Data PrivacyNews

WhatsApp Sues Indian Government Over New “Traceability” Rules That Require Circumvention of End-to-End Encryption

June 1, 2021
- Advertisement -
- Advertisement -

Latest

Hacker working on a code showing security breach

Security Breach at Tata Electronics Affects Apple, Tesla, and Other Technology Giants

Rio de Janeiro downtown showing breach of emergency alert system

Hackers Breach Brazil’s Emergency Alert System, Triggering Millions of False Alerts

Code and numbers showing quantum-safe

Products That Are Not “Quantum-Safe” May Soon Be Ineligible for Cybersecurity Certification in France

Crowded soccer stadium showing API vulnerability for FIFA World Cup streams

API Vulnerability Could Have Let Attackers Hijack FIFA World Cup Broadcast Streams

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Digital
Insights
News
Resources
Press Releases

© 2025 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Cyber Attack Regulations Ransomware Attack
    See all results