WhatsApp is one of the most widely used messaging solutions around, and that’s at least partly due to itsfull end-to-end encryption(E2EE). However, E2EE as a standalone security feature is quite useless if it is not supported by robust measures preventing unauthorized access to user accounts. As services develop, we see fewer and fewer such vulnerabilities, but a WhatsApp issue that was recently brought to light is particularly damning, because anyone could remotely deactivate your account without consent.

In the rare instance your primary phone is stolen and you cannot access WhatsApp, the Meta-owned messaging service makes it easy to request the remote deactivation of your WhatsApp account to prevent misuse. WhatsApp support documentation clearly states you just need to shoot an email containing the phrase “Lost/Stolen: Please deactivate my account” along with your phone number in full international format. In a utopian world, this system could work well for a company maintaining a handful of user accounts, but not for WhatsApp and billions of its users.

ESET’s Global Cybersecurity AdvisorJake Moorerightly points out we don’t live in an ideal world. Moreover, WhatsApp’s process is completely automated and doesn’t verify if the email sender is the actual owner of the WhatsApp account to be deactivated. In such a scenario, it is easy to imagine how anyone who knows your phone number can create a burner email address and request deactivation of your account, all behind your back.

Professional cybercriminals could go a step farther and exploit this system at scale using automated scripts randomly deactivating WhatsApp accounts, repeatedly performingdenial of service(DOS) attacks until innocent victims pay up for access to their WhatsApp account. They could also steal contact information to target more people, or just delete conversations which you could not recover unless you had a recentWhatsApp backup.

Thankfully, Meta seems to have taken cognizance of the flaw — or perhaps it just received an obscene amount of deactivation requests. For now, immediate account deactivation has been disabled. If you were a victim of such an attack, support documentation clearly states you’re able to recover deactivated accounts and all unread messages within 30 days.

We commend WhatsApp for its swift intervention, but the now-discontinued feature looks like a boilerplate implementation left over from the days when WhatsApp was a new app. In aseparate tweet, the cybersecurity advisor suggested WhatsApp re-enable the system and only entertain deactivation requests from emails linked to the WhatsApp account owners. He added two-step verification should be mandatory for all WhatsApp accounts, instead of being an option as things are today.

We will keep an eye out for how WhatsApp implements account deactivation systems in the wake of this revelation.