WhatsApp bug; the two-step verification system challenged


It seems that the two-factor authentications system is not a reliable method that will prevent hackers to sweep into users’ conversations. Recently, Roland Abi Najem, Cybersecurity and Digital Transformation Consultant, found a bug in the WhatsApp two-step verification code system.

On July 18, 2020, someone attempted to hack Abi Najem’s WhatsApp account. On July 21, the Cybersecurity expert wrote a post on Facebook for Cybersecurity awareness purposes. He attached a screenshot of the WhatsApp message taking into account that the verification code had already expired. “Everyone knows that the OTP codes – one-time password- are valid for a timeframe between 30 seconds and 2 minutes maximum. After 2 minutes, the code would have expired and users have to ask for a new verification code”, Abi Najem told Inside Telecom.

On the same day, Abi Najem’s WhatsApp account was exposed to a second hacking attempt. Once the hacker requested activation, he received a message with the same verification code, a crucial cybersecurity issue. “Apparently, WhatsApp verification system will send you the same code if it wasn’t used before”, said Abi Najem. Moreover, he added, “I received a WhatsApp verification on July 18 at 3:13 AM. Three days later, at 1:31 AM, I received the same verification code”.

Google, Facebook, and Microsoft auto-generate verification codes. When you receive a code from Google Authenticator, a counter will appear next to the code indicating that it will expire in 30 seconds. “Two-factor authentication generates different codes that have a lifetime. Thus, WhatsApp OTP bug is a catastrophe,” said Abi Najem who emailed WhatsApp aiming to shed light on the issue.

“The code should be temporary, but due to the bug, WhatsApp verification code is acting as a password – the so-called one-factor authentication-,” explained Roland to Inside Telecom. WhatsApp should fix the bug immediately, but it seems the company does not take the issue seriously. “You were most likely sent the code because someone entered your number when trying to register in WhatsApp (perhaps by accident). Verification codes are used to verify the ownership of the number. Without the verification code, the user who is verifying the number will not be able to complete the verification process and use their WhatsApp with that number. Hence, there is no risk of the account being compromised”, states WhatsApp in a response to Abi Najem.

Twofactorauth.org has been for long the center of the campaign for two-factor authentication. A website dedicated to naming and shaming any product that does not offer two-factor authentications. Today, every messaging App is taking into account cybersecurity. Digital rights organizations have been advocating for the necessity of implementing two-step verification authentication technique. On the other hand, users have been choosing their best instant messaging App based on this feature availability. Thus, the bug could be a real threat to WhatsApp.

Companies are sending two-factor authentication via call, email, or SMS messages- so-called Application-to-Person SMS (A2P). Adding two factors authentication (2FA) makes it more difficult for accounts to be infiltrated by hackers. However, smart hackers can use sophisticated techniques to bypass two-factor authentication. According to Mobliciti, phishing, social engineering and call forwarding are the techniques being used to exploit 2FA.

Malicious activity can occur when intercepting codes or exploiting accounts’ recovery systems. They can intercept 2FA calls even when they are transmitted to users via voice calls. They also can create a backdoor communication connection with the command and control (C&C) server.

A2P messages is a fast-growing market. According to Zion Market research, the Global A2P SMS Market size will reach $70.0 billion by 2020. WhatsApp should immediately work on fixing this bug to secure users’ privacy. In fact, a hacker that has access to the two-step verification code could add a Pin number preventing the account recovery.