All the attacker needs is your phone number and a lot of patience • As of this writing the loophole has not been fixed
Photo: Yinon Ben-Shoshan
New method of attack:
Anonymous individuals can take over your WhatsApp account with just the phone number - without any contact with you, according to a report in Forbes.
As of this writing, there is no solution to the problem.
The trick is a little more sophisticated than you are familiar with.
First, the attacker downloads WhatsApp to another smartphone and enters your phone number to activate the chat service.
Now, when he is unable to verify the account - because he does not have access to the verification code sent to you, he will try to retry several times until your account is locked for 12 hours.
This is where the tricky part comes in:
when your account is locked, the attacker sends a WhatsApp support message from his email address, claiming that (your) phone has been lost or stolen, and that the account associated with your number should be disabled immediately.
After that, WhatsApp "verifies" the information by sending a return email to the same address - and suspends the account without any further verification process.
Alongside this, the same anonymous person can repeat the operation several times to disable the account completely.
Although the results are very disturbing, it is important to note that an external party can still not access your account, but only block your access to it.
WhatsApp did not confirm that they intended to repair the loophole, and told Forbes in response: "Two-step verification prevents such cases.
Anyone who needs help can email our support team so we can investigate.