Disclaimer: This article is for educational and legal purposes only. We do not promote or support any illegal activities
Yes, You head it right, the title is not a clickbait. It’s true there is a flaw in Whatsapp’s two-step verification, and I accidentally bypassed it a few months ago.
WhatsApp Two-Step Verification
Two-step verification in WhatsApp is a security measure to prevent strangers from accessing your account if they get hold of your phone. It does not appear every time you open WhatsApp but is required almost every time you log in on a new phone. Now, let’s look at how two-step verification works, which will help you understand its flaws.
WORKING
WhatsApp’s two-step verification check is only triggered when you directly interact with the app, such as when logging into WhatsApp on your phone or when the two-step verification prompt appears on your screen. This happens because WhatsApp assumes that users will only interact with it through its official app and not via other software.
This potential logic flaw allows exploitation by interacting with WhatsApp through a third-party app. Since the two-step verification feature does not cover such scenarios, an attacker could access messages, details, and perform regular WhatsApp activities without triggering the verification prompt. It is possible that the two-step verification trigger is linked to WhatsApp’s splash screen, which might be the root cause of this flaw.
THE INCIDENT
When I opened my mother’s Whatsapp to send a PDF, I encountered the two-step verification screen and got stuck. My mother was busy, so I didn’t want to disturb her. Just for fun, I opened the file manager and tried sharing the PDF using the share button directly to Whatsapp. I don’t remember whether it was an accident or instinct but the result blew my mind.I managed to bypass the two-step verification! I was able to send the PDF to any chat and even read and reply to chats as if everything was normal. However, once I exited Whatsapp and reopened it, the two-step verification screen appeared again.This seems to be a way to bypass the two-step verification by sending something externally. I immediately reported it to Whatsapp, but their response wasn’t as great as I expected.
VIDEO PROOF
CONCLUSION
In this article, we explore a logic flaw I discovered in WhatsApp’s two-step verification and a method to bypass it. I found this vulnerability about a year ago, so by the time you’re reading this, WhatsApp may have already fixed the issue.
Either way, stay tuned for more valuable content follow our blog for updates!