It has been reported that any individual could potentially deactivate a WhatsApp account by sending an email, and currently, there is no known method to prevent this from happening. This information has been shared with all WhatsApp users.
The fact that WhatsApp offers complete end-to-end encryption (E2EE) contributes in some way to its popularity as one of the most popular messaging services available.
However, if E2EE isn’t backed by strong safeguards against unauthorized access to user accounts, it is ineffective as a standalone security feature.
Particularly, WhatsApp has made it simple for users to deactivate their accounts. Yet, as one top security expert has cautioned, WhatsApp may have exposed every user to an all-too-simple denial of service attack by simplifying the procedure a bit too much.
WhatsApp Account Deactivation Via Simple Email
According to Jake Moore, the global cybersecurity advisor at ESET and a former law enforcement head of digital forensics, it allows anybody with your phone number, including a malicious actor or just about anyone else, to remotely deactivate your WhatsApp account.
When a phone was lost or stolen, Moree posted a screenshot of the WhatsApp support FAQ. He tweeted saying “So let me get this right, I can type in ANY number and you will deactivate that account?”
The account will be immediately deactivated, according to WhatsApp, by simply emailing the words “Lost/Stolen: Please deactivate my account” which also contains the phone number connected to that account to a given email address.
This deactivation request, according to Moore, might come from any email address, not simply the one belonging to the account holder.
The account remains active after the deactivation request is submitted, and your contacts may still view your profile. Undoubtedly, they can still message you.
For up to 30 days following the deactivation, messages will be kept as pending. This is crucial since your account will be terminated if you don’t revive it within those 30 days.
By building a script that repeatedly sends the deactivation email over 30 days, this could be used to carry out a denial of service attack against a user, as Moore and others noted in the Twitter thread.
WhatsApp Has Modified The Deactivating Procedure
It appears that, at least for a while, the instantaneous aspect of applying a deactivation request may have been halted.
Hence, WhatsApp seems to have finally appropriately backtracked from the automatic and instant termination of accounts.
Users now receive a follow-up message after receiving the notice mentioned above, asking for more account ownership proof before a deactivation may occur. Documentation, such as a copy of the phone bill or contract, is required for such verification.
Mitigation
Using the deactivation email approach, a user may protect themselves against an attacker denying them access to their WhatsApp account.
“Two-step verification is offered to all WhatsApp accounts, but this is not enabled by default which remains a problem for hijacked accounts”, Moore said.
“When two-step verification is turned on, an email address is required so naturally this could also be the only email address that enables the deactivation method.”