Here’s how it works: An attacker installs WhatsApp on a new phone and puts in your number to activate the app.
WhatsApp sends a 6-digit authentication code to your phone – which they don’t have.
The attacker then inputs a wrong code too many times, which blocks the ability to log in for 12 hours.
They then send an email to WhatsApp from their email address and claim that your phone (with the original number) has been lost or stolen.
WhatsApp responds with a ‘verification’ email back to the attacker, which then suspends access to your account. If the process is repeated, the account stays locked away with no input from you.
This doesn’t actually capture your account, so there’s no danger of any confidential information being obtained. But it’s still a major inconvenience to be blocked from your own WhatsApp account.
The method was uncovered by a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereñ, and so far it doesn’t seem like there’s any way to stop it.
The best way is to assign an email address alongside a phone number for two-factor authentication (2FA) on your WhatsApp account. This should make it much harder for an attacker to spoof your identity.
‘Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem,’ a WhatsApp spokesperson told Metro.co.uk via email.
‘The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.‘