Thursday, April 15, 2021

The Problem with WhatsApp is Facebook

  • I have known for some time that Facebook bought WhatsApp which is a free way to contact friends through phone or text or pictures or videos around the world without having to pay for it. However, now that Facebook owns it all your data you send or friends send is now compromised because companies like Facebook sell this data to the highest bidders worldwide without your permission. So, my older daughter who is very tech savvy insisted we all switch to Signal for safety because that one is not compromised by a company like Facebook at least yet.
  • Begin quote from:
  • https://www.tomsguide.com/news/whatsapp-security-hole-could-let-anyone-lock-your-account

    WhatsApp flaw could let anyone lock your account — what you need to know

    whatsapp
    (Image credit: Anadolu Agency / Getty Images)

    WhatsApp users beware: There’s a hole in the app’s security that could let attackers suspend your WhatsApp account. All they need is your phone number.

    The scary thing is that the method an attacker could use isn’t all that difficult. The only upside is that the attack doesn’t expose your account or any personal information. So the only reason they’d want to do it would be pure malice.

    The first stage of the attack is for the attacker to install WhatsApp on a brand new device and use your number to activate the app. Since they don’t have access to your phone, they won’t be able to verify the number belongs to them and actually access your WhatsApp account.

    The bad news here is that repeatedly sending out two-factor authentication codes, and failing to enter them correctly, will lead to your own login being locked for 12 hours.

    The second stage is a little bit more difficult, but isn’t all that hard. Once the account is locked, the attacker can email WhatsApp support claiming to be you, and declare your phone has been either lost or stolen and the WhatsApp app on it needs to be deactivated. 

    Because WhatsApp doesn’t ask for an email address when you sign up, this gets “verified” with whatever email the attacker messaged support with. Then your account is suspended by an automated process. Should the attacker repeat the process multiple times, it can lead to a semi-permanent lock on your entire account.

    whatsapp security flaw

    A visual example of what a locked WhatsApp account looks like (Image credit: Forbes)

    Thankfully there are no reports of this attack actually being used out in the world. Instead it’s a proof of concept from security researchers Luis Márquez Carpintero and Ernesto Canales Pereña (via Forbes).

    However the security hole does exist, and it isn’t particularly complicated. To make matters worse, Whatsapp has not confirmed whether it has any plans to fix the problem. That's an issue, considering your account can be deactivated anonymously, with no way of identifying which malicious actors are responsible.

    If it happens, the only thing you can do is get in touch with WhatsApp support, and try to get hold of a human being.

    Obviously the problem needs fixing, and we can only hope WhatsApp is actively working on a fix, as at the time of writing, this security hole is ripe for exploitation.

 

No comments: