WhatsApp has suggested that users could avoid the problem by providing their email address with the two-step verification. WhatsApp is found to have a vulnerability that can allow an attacker to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses. A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you've enabled two-factor authentication (2FA) for your WhatsApp account.

Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp account. As first reported by Forbes, the researchers found that the flaw exists on the instant messaging app due to two fundamental weaknesses.

The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you'll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker's phone for 12 hours.

However, while the attacker won't be able to repeat the sign in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end.

This will deactivate your WhatsApp account, meaning that you'll no longer be able to access the instant messaging app on your phone. You won't be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has apparently been deactivated through the email sent by the attacker.

Source- NDTV news 

Country- U.S