A critical vulnerability that essentially allowed anyone to deactivate anyone else’s WhatsApp account has been addressed by Meta, with users now required to provide documentation to complete a request of this nature.
A report published by Forbes last week noted that WhatsApp accounts could be deactivated simply by sending a request from any email address, so long as the attacker knew the phone number associated with the account. Going forward, the account deactivation process now involves a follow-up message that requests verification of ownership of the associated phone number.
WhatsApp account deactivation process subject to “denial of service” attacks
Until very recently, a WhatsApp account could be deactivated by emailing the company to indicate that the phone associated with the account had been lost or stolen. That account deactivation email could come from any address; it just needed to include the correct phone number associated with the username. The process appears to be automated, as security researchers that tested it found that the test WhatsApp accounts were deactivated immediately when a request was made from an unfamiliar email address.
Though technically a denial of service attack, this technique did not seem to be put to widespread use as it ultimately amounted to more of an annoyance than anything else. The account deactivation request does not delete the account, though it could be deleted if the target does not reactivate it within 30 days. But all the user has to do to reactivate the account is log back in as normal. During the deactivation period, contacts remain able to see user profiles and send messages to them.
After Forbes published a report on the vulnerability, WhatsApp made changes that add a new step to the account deactivation process. A request can still be initiated in this way, but the requester will be messaged to ask for some verification of ownership of the phone number associated with the target WhatsApp account (such as a picture of a phone bill or contract).
The logic behind the initial account deactivation policy was likely that if a phone is lost or stolen, the user needs to be able to shut the account down as quickly as possible from whatever communication device is available (for example a computer). The exploitable part of the process likely would not have amounted to more than an occasional prank between people who know each other, but there are possibilities for targeted harassment or plots to permanently remove an account if the attacker is aware that the target is unlikely to log in to their WhatsApp account or receive messages about it for 30 days.
Account deactivation gimmick highlights threats from “creative malice”
While the new WhatsApp account policy offers at least a partial solution to the issue, it may have swung the pendulum a little too far the other way. Users who have legitimately lost their phones or had them stolen may well not have a copy of phone ownership documentation at hand to facilitate a quick deactivation. It remains to be seen if WhatsApp will make further changes to the policy, but one that could be implemented is to only accept instant account deactivation requests from email addresses associated with or whitelisted by that account.
Cybersecurity efforts are rightfully focused on ransomware, fraud and espionage. But acts of malice such as this, that slip through loopholes and oversights in design or policy to have a more limited or focused destructive impact, should not be overlooked. Distributed denial of service (DDoS) attacks that take out business functions have been estimated to cost between several thousand to nearly $100,000 per hour of downtime. The total cost for such an attack can be in the hundreds of thousands of dollars for small businesses, and in the multiple millions for large enterprise-scale companies.
Those costs are for the sort of attacks that take down websites or cripple business communications temporarily, but smaller issues can take a financial toll as well when they are this broadly exploitable.
Steven Spadaccini, VP of Intelligence for SafeGuard Cyber, notes that WhatsApp is growing as a primary communication tool for businesses: “The recent warning to all WhatsApp users that their accounts could be deactivated by anyone sending an email is concerning as the application is fast becoming central to successful business communication. From over 1.8 billion users at the start of 2022, more than 2.24 billion people now communicate and collaborate through WhatsApp. The application’s proximity to the rest of the device, and all the other apps on that device, make it a potential entry-point for serious trouble, and account compromise is a key security concern.”
“Securing users’ account settings is a good place to start, but organizations can go a step further by gaining full visibility into their WhatsApp communications to monitor for malicious activity and establishing WhatsApp security protocols with solutions that will allow them to customize their policies, and quickly apply those policies across the entire channel,” advised Spadaccini.
There is also the question of how seemingly smaller vulnerabilities such as this can be paired together to do bigger damage. A November 2022 data breach of around 500 million WhatsApp accounts involved leaked phone numbers, creating a ready-made database that threat actors could use to look up target contact information. That collection was put up for sale to the general public on the dark web. Issues such as the account deactivation oversight are also more troubling to users when the app bills itself as a privacy tool, and WhatsApp faces strong competition from similar encrypted messaging apps such Signal and Telegram..