WhatsApp has come under fire from security experts after it was brought to light that any account can be deactivated by anyone sending an email – with no current way of stopping it.
The ease of deactivation is to help users whose smartphone has been lost or stolen quickly disable their accounts and protect their data.
This, however, has been criticised by security experts as being too easy and leaves a lot of room for misuse by bad actors.
On July 17, the issue was first brought to light on Twitter by Jake Moore, a former law enforcement head of digital forensics.
“So let me get this right, I can type in ANY number and you will deactivate that account?” Moore wrote on Twitter with an accompanying screenshot.
WhatsApp has been allowing any user, from any email address, to email them with a simple phrase and phone number and they will instantly deactivate the account.
“This seems like a poorly thought-out approach to deactivating WhatsApp accounts,” Javvad Malik, lead security awareness advocate at KnowBe4, told Verdict.
Security experts have called for the implementation of two-factor authentication in the deactivation process. However, some have noted how it wouldn’t be possible to get through two-factor authentication if the phone has truly been lost or stolen.
“I think the issue with two-factor verification is that it does create friction in a user’s experience when it comes to implementing and adopting it,” James Malcolm, Head of Engineering (Mobile) at xDesign, told Verdict.
Adding: “The bigger issue is that if you implement it, it’s more than likely that it will be part of the user’s phone too. If you’re having to email Whatsapp about losing your phone, you have more than likely lost access to your two-factor verification option anyway.”
WhatsApp’s policies do mention that a member of the team would get in contact with users trying to deactivate their accounts in some instances.
“I would expect that if someone is constantly trying to deactivate accounts then this will be caught by the support team as a potentially malicious request,” Malcolm told Verdict.
According to an update from Moore, WhatsApp has temporarily suspended this cause of action following his own tests.
Verdict has reached out to WhatsApp for comment.