Paranoia as a Working Method: Anticipating Threats in IT, Part 1

Introduction to the series on paranoid perspective as a working method

Dear Reader, today we begin an unusual series. This isn’t a series directly about conspiracy theories, although it is related through paranoia and a paranoid approach. The topic is broad, so today, I’d like to introduce you to the concept of controlled paranoia and show its benefits, risks, and ways of control.

So, let me take you on the long-promised journey into a world that can create not only overinterpretations and false leads but also, as I will show in this first article of the series, can become a working method under certain conditions.

First, I’d like to say that today’s topic fell into my lap. Although I’m not from the professional cybersecurity industry (I know what a virus is), my approach to today’s problem helped me to open up to the issues I wanted to discuss in a way that’s understandable even to laypeople. I hope you find this an interesting read.

Why WhatsApp? Why target this app?

A few words of explanation. My interest in WhatsApp stems from my amateur involvement in urban activism. I noticed that the META app is very popular among activists for exchanging thoughts and documents, which I find problematic. This article was born out of concern for users and their mistaken belief in the security this app supposedly provides.

2FA that isn’t 2FA - Technical explanation of the problem

2FA, or two-factor authentication, is a popular method for securing accounts, requiring an additional PIN or token for identity verification. Until recently, I thought I was using 2FA in WhatsApp…

Ekran Ustawień WhatsApp z ustawieniem "weryfikacja dwuetapowa"

I was alarmed by unusual behavior from WhatsApp, which had the option ACCOUNT > TWO-STEP VERIFICATION enabled. Typically, based on my experience, this setting adds a layer of security to protect the account or app from unauthorized access. Without reading the details, I enabled this function, set a PIN, and every time (I emphasize this happens every time), the app asks for my PIN before letting me proceed when launched or resumed…

Activated 2FA, which as explained, is something else,
but causes screen blocking...

2FA in SIGNAL, which I also use, is better documented, and the functionality is clearer. There, the PIN helps restore the account and encrypt information in the Signal system. Without the PIN, backups cannot be restored. It also blocks re-registration of the phone number in Signal. However, this PIN is never used for login, as Android’s built-in methods (Android PIN or biometrics) are used for that. Signal’s PIN for account recovery never appears like a screen lock (it doesn’t block access to the app) and is subtly reminded without interfering with the app’s use. It seems like this could be well-thought-out and implemented.

A lock that can be bypassed without any prerequisites

So, back to the META messenger. Using WhatsApp, it asks for my PIN every time, displaying a typical field (see screenshot) that blocks access to the app (similar to how Signal uses Android’s mechanisms). I thought this was an access lock because you can’t proceed without entering the PIN.

However, this is a false assumption. Tests showed that the WhatsApp PIN lock could easily be bypassed by sharing a link from a browser to a contact in the app. This gives full access to the chat history without entering the PIN. Sending the message locks the app and prompts for the PIN. Strange, right? So, does it look like a typical app lock PIN meant to prevent unauthorized access?

Not exactly.

Reporting the bug to META

This triggered me before my morning coffee, leading to further tests, confirming that it’s possible to access the app without the PIN. I immediately reported the issue to META, describing the exact steps that lead to it:

1. Lock WhatsApp with a PIN; you can also reboot Android to trigger the need to enter the PIN upon opening the messenger.

2. Verify that the app cannot be accessed without the PIN. The entire screen is a big prompt asking for the PIN and preventing further use.

3. Open a browser, select share, then Android will use system methods to share through available apps. Choose WhatsApp and a specific contact.

4. This opens WhatsApp without the PIN, showing the entire chat history. You can even enter a message and send it without the PIN. Doing so sends the message and simultaneously locks the screen, requiring the PIN. Weird, right?

I reported this exact bug, with a detailed description, to META, expressing concern about the PIN bypass via link sharing. Full technical specification included. After a few minutes, I received an AI-generated response asking for more information, which I provided through the proper forms. After several more minutes, META replied:

Thanks again for your submission. We occasionally ask people to enter their WhatsApp 2FA code on the mobile app to prevent people from forgetting their 2FA code. The challenge you are being presented with here is not a real 2FA verification but a challenge that helps people remember their 2FA code. This is also mentioned on the challenge itself as well as on our public FAQ section we have regarding WhatsApp 2FA which is linked below. Since this is not a security control, we don’t consider a bypass of such reminder challenges a valid security vulnerability. More info: https://faq.WhatsApp.com/general/verification/about-two-step-verification

Advanced mnemonic method 2FA

To my surprise, the response indicated that 2FA isn’t a security feature (“is not a real 2FA verification”) but a kind of reminder. This struck me as odd, so I dug deeper. I read the small print in the section activating 2FA as security, only to discover that it wasn’t a security feature. The FAQ section further confirmed this: the so-called “security” is actually a quasi-mnemonic method to remind users of their PIN, which is apparently used only for re-registering the phone. So why does it block the entire screen every time, pretending to be a security feature against unauthorized access?

It is possible to disable 2FA without entering the PIN

I ran multiple tests, and every time, I was prompted for the PIN upon launching the app. Yet, I easily bypassed this, and even non-technical users could do the same. No advanced skills are needed. After receiving META’s email, I began reading their terms of service to understand what this so-called 2FA actually is, and it turns out to be a peculiar function.

Once I realized this was fucked by design, I took a closer look and discovered that on the PIN entry screen, there’s an option: “forgot your PIN?” Clicking this opens a window that allows you to disable the PIN without any verification whatsoever, deactivating what they call 2FA or, perhaps, an advanced mnemonic function. You can disable 2FA without entering the PIN by simply clicking the funny button when prompted for the PIN, deactivating a so-called security feature. In my opinion, this is a joke on the user. META’s sense of humor is on par with Monty Python.

But let’s not be too harsh. There is one real lock that protects against unauthorized access, which is the screen lock activation hidden in the PRIVACY section, where we can enable the screen lock using biometrics (see the screenshot below).

UX/UI failures: Pretending security and faulty documentation

Despite META, the app (disclaimers), support, and documentation claiming there’s no problem, I firmly believe the issue remains because the design gives the impression of providing a real security layer, which is neither true nor matches user expectations.

This is a UX/UI issue, and in my opinion, a misleading description of the feature in the ACCOUNT section using the term “two-step verification” for a function that does not fulfill that role. It’s not real two-step verification, and META’s support admitted this in their response to my report: “The challenge you are being presented with here is not a real 2FA verification but a challenge that helps people remember their 2FA code!”

However, that’s not the end. Additionally, there are issues in the documentation, where the flawed deactivation method is described, suggesting that it is perfectly secured against deactivation. It’s not. You can deactivate it using the funny little link I mentioned above.

Why do we bother with this topic, and why am I writing about it?

Paranoid approach as anticipating user behavior

With this article, I want to show you that the paranoid approach—anticipating user behavior when assessing applications—is a critical element in our work and can contribute to improved security by exposing flaws.

Revealing such embarrassing, decorative security features, creating truly functional ones, and contributing to good practices overall help raise awareness among non-technical users, which I consider a key factor in today’s complex cyber world. So, using the term “two-step verification” in the ACCOUNT section is a misunderstanding. I would also like to point out once again that it’s worth reading the terms and conditions carefully because a decorative security feature may be explicitly exposed in the documentation as a pseudo-functionality, as META openly writes without shame.

Thus, we see that the principle of limited trust—controlled paranoia in event analysis—allows us to spot mistakes and take a critical approach to the subject. Of course, we could have chosen a more sexy topic, but as I said before, I’m an amateur.

The falsification stage: How to ensure paranoia doesn’t turn into madness?

As in analyzing conspiracy theories, literature, or intelligence work, a paranoid approach must be controlled. If we let our imagination run wild, madness awaits on the other side of the rabbit hole. Falsification occurs through a thorough case analysis. I contacted the responsible people. Additionally, I involved a colleague who offered support in reproducing the issue on various devices, and we had initially planned debugging. It’s always an exciting matter, and you can learn something… Of course, this phase wasn’t activated due to the realization that it’s fucked by design.

Want to learn more about critical thinking in IT?

The topic of a paranoid approach as a working method is extensive. I’m not an expert, but I have many thoughts and read materials on the subject. If you’re interested, I encourage you to explore topics like threat modeling (source: https://www.securing.pl/en/thinking-what-can-go-wrong-introduction-to-threat-modeling/) and an excellent article by Sean Gallagher, responsible for the cybersecurity segment at Ars Technica:

“But my paranoia is also based on a rational evaluation of what I might encounter in my day-to-day: it’s based on my threat model.” (source: https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/)

As we can see, paranoia is an element of a rational strategy. And precisely because it’s under the control of reason, despite having elements of out-of-the-box thinking, it forms an excellent basis for anticipating threats and reducing risks in IT. These are simple articles that perfectly complement the topics presented here. As an amateur, I recommend them to other amateurs.

In the upcoming parts, I will delve into paranoid interpretations using the semiological concepts of Umberto Eco. Why paranoid interpretations are the foundation of conspiracy theories. We’ll discuss how controlled paranoia is used in intelligence services and when controlled paranoia slips from reason’s grasp, and the consequences of this. This will also be explored through examples of spy mania. Severski has mentioned several times in interviews the term controlled paranoia to describe the work of an intelligence officer. It promises to be an exciting read.

Thank you for your patience in waiting for the promised texts…

Sources: https://faq.WhatsApp.com/general/verification/about-two-step-verification
https://faq.WhatsApp.com/1920866721452534?helpref=faq_content
https://faq.WhatsApp.com/2183055648554771/?helpref=hc_fnav

• Cybersecurity
• Paranoia