• You are losing out on amazing benefits because you are not a member. Join for free. Register now.
  • Two-Day Giveaway - Win a Google Chromecast, Branded Gear, and a Mystery Gadget. Enter Here.
  • Giveaway - Win a DiskStation DS918+ and Active Backup Suite from Synology. Enter Here.

Hijacking Whatsapp and how to prevent it

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#1
So this might be common knowledge to most, but I thought i'd just post my quick experience of how easy it is to hijack a Whatsapp profile with limited access to the person's phone.

1) Install or reinstall Whatsapp on your device (or Android emulator) - the device needn't have a SIM, only internet connectivity.
2) When you start Whatsapp, it asks for your cell number to verify it - enter the number of the target phone to hijack
3) It takes a minute to verify the phone then it sends an SMS to the target phone
4) Glance at the target phone screen and get the 6 digit code that was SMS'd (even if it's locked, it could show up on the lock screen - this depends on the phone and setup)
5) Enter it into your phone into Whatsapp
DONE

You now have full access to the victim's whatsapp to send / receive messages (and possibly bank with Absa if they have set it up on Whatsapp?)

Steps to prevent being hijacked this way:
1) Disable sensitive notifications on your lock screen (both Android and iOS can do this - under settings) - obviously have a secure pin / lock screen. Depending on the model and Android flavour how this is set is done differently. If your phone doesn't show incoming SMS text on the lock screen, then you're sorted.
2) Enable Whatsapp 2FA - when the attacker tries to set up Whatsapp on the new device, it requests your 2FA pin.
 
Last edited:

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
13,218
#2
My phone has a thing in the notification bar when WhatsApp Web is active. Surely it's impossible for someone to stealthily use your WhatsApp?

And these days everyone has biometric security. Just don't leave your phone unguarded.
 

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#3
My phone has a thing in the notification bar when WhatsApp Web is active. Surely it's impossible for someone to stealthily use your WhatsApp?

And these days everyone has biometric security. Just don't leave your phone unguarded.
I'm talking about taking over Whatsapp - not using WA web, but yes - hopefully you should notice it before damage is done... The minute you try access WA on your phone, it will say it's been enabled on another phone and you have to re-enable it on your phone to access it. If you see that, you know you've been compromised and you should immediately enter your phone number and re-register your phone to get the other party logged out on their device.

HOWEVER, if your phone is stolen... no need for the theif to even unlock it before they access WA (unless you have sensitive notifications on lock screen disabled)... and SQUAT you can do about it until you do a sim swap.

Even biometric security does nothing if the default setting of showing the full notification is enabled on the lock screen.
 
Last edited:

isie

Executive Member
Joined
Jan 16, 2010
Messages
9,495
#7
So this might be common knowledge to most, but I thought i'd just post my quick experience of how easy it is to hijack a Whatsapp profile with limited access to the person's phone.

1) Install or reinstall Whatsapp on your device (or Android emulator) - the device needn't have a SIM, only internet connectivity.
2) When you start Whatsapp, it asks for your cell number to verify it - enter the number of the target phone to hijack
3) It takes a minute to verify the phone then it sends an SMS to the target phone
4) Glance at the target phone screen and get the 6 digit code that was SMS'd (even if it's locked, it could show up on the lock screen)
5) Enter it into your phone into Whatsapp

DONE
You now have full access to the victim's whatsapp to send / receive messages (and possibly bank with Absa if they have set it up on Whatsapp?)

Steps to prevent being hijacked this way:
1) Disable sensitive notifications on your lock screen (both Android and iOS can do this - under settings) - obviously have a secure pin / lock screen
2) Enable Whatsapp 2FA - when the attacker tries to set up Whatsapp on the new device, it requests your 2FA pin.
flaws in your plan first phone will have a message pop up to say you need to re verify whatsapp , do that and control is yours again, the second phone will then get the verification and then cannot te sms.

and main flaw you need to get my phone and access to messages if not secure and open the first place whatsapp is the least of your concerns
 

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#9
flaws in your plan first phone will have a message pop up to say you need to re verify whatsapp , do that and control is yours again, the second phone will then get the verification and then cannot te sms.
Good luck getting that right if your phone is stolen... or temporarily "missing"

And main flaw you need to get my phone and access to messages if not secure and open the first place whatsapp is the least of your concerns
I don't need to access old messages to pose as you and message others or receive new messages... or transact with ABSA (last one yet to be tested)
 

isie

Executive Member
Joined
Jan 16, 2010
Messages
9,495
#11
Good luck getting that right if your phone is stolen... or temporarily "missing"
if its temporarily missing that means i get my phone back the unverified message will popup , if stolen see below
either way i say good luck getting into my phone
I don't need to access old messages to pose as you and message others or receive new messages... or transact with ABSA (last one yet to be tested)
you need access to my new messages , how can you do that if i have my phone, if you have my phone and you I dont have some sort of security then like i said having my whatsapp is the least of my worries.
if my phone is stolen chances are the person will wipe the phone , that wipes whatsapp - if the reason they stole it is to have aces to my whatsapp that is only until i block the sim and swapped - yes a lot can happen in that time but again i say if my phone is with anyone else and not secure whatsapp is the least of my worries.
 

genetic

Honorary Master
Joined
Apr 26, 2008
Messages
25,189
#12
you need access to my new messages , how can you do that if i have my phone, if you have my phone and you I dont have some sort of security then like i said having my whatsapp is the least of my worries.
.
This.

If you're foolish enough to leave your phone unsecured, then you have bigger issues.
 

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#14
if its temporarily missing that means i get my phone back the unverified message will popup , if stolen see below
either way i say good luck getting into my phone
No. I "hide" your phone after getting into your Whatsapp using my phone. Just one scenario. You have no way to stop me using Whatsapp from my phone until you do a sim swap.


You need access to my new messages , how can you do that if i have my phone, if you have my phone and you I dont have some sort of security then like i said having my whatsapp is the least of my worries.
You'll have to be more specific. Android and iOS show SMS contents on the lock screen by default.
If my phone is stolen chances are the person will wipe the phone , that wipes whatsapp - if the reason they stole it is to have aces to my whatsapp that is only until i block the sim and swapped - yes a lot can happen in that time but again i say if my phone is with anyone else and not secure whatsapp is the least of my worries.
I've seen this first hand. Friends and family phone frantically to find out if your daughter is OK because they got a Whatsapp to say they're stranded and need cash... please send cardless ATM cash. This scenario involved someone you know or who knows you possibly via a third party hence has your number.
 
Last edited:

isie

Executive Member
Joined
Jan 16, 2010
Messages
9,495
#15
No. I "hide" your phone after getting into your Whatsapp using my phone. Just one scenario. You have no way to stop me using Whatsapp from my phone until you do a sim swap.


You'll have to be more specific. Android and iOS show SMS contents on the lock screen by default.


I've seen this first hand. Friends and family phone frantically to find out if your daughter is OK because they got a Whatsapp to say they're stranded and need cash... please send cardless ATM cash. This scenario involved someone you know or who knows you possibly via a third party hence has your number.
You don't seem to understand - if a person is stupid enough to leave their phone without a basic lock,t whatsapp is the least of their worries - look at what your phone has become, it is the key to pretty much everything, your email , sms , banking etc is on it - i can reset password for pretty much any website once i have your email and sms- this is not a whatsapp issue this is their own stupidity.

Simple lock your phone and ensure you have find my phone on android and whatever the equivalent is on Iphone - you can remotely wipe your phone - yes it needs a data connection to do this - but so do the scammers in order to do what you expecting them to do.
 

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#19
You don't seem to understand - if a person is stupid enough to leave their phone without a basic lock,t whatsapp is the least of their worries
No, you don't seem to understand. Look at the opening post. The PHONE IS LOCKED. Do you need a video?

look at what your phone has become, it is the key to pretty much everything, your email , sms , banking etc is on it - i can reset password for pretty much any website once i have your email and sms- this is not a whatsapp issue this is their own stupidity.
You do realise that not EVERYONE knows about the setting to turn off lock screen sensitive notifications? If you do, then why are you arguing the point of how easy it is to hijack Whatsapp when instructions for setting your phone up properly is already in the opening post?

Simple lock your phone and ensure you have find my phone on android and whatever the equivalent is on Iphone - you can remotely wipe your phone - yes it needs a data connection to do this - but so do the scammers in order to do what you expecting them to do.
Again, locking your phone does SQUAT to prevent Whatsapp hijacking. How many times must it be said?
 
Last edited:

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
27,208
#20
lol I can't even find a way to make notifications display on the lock screen of my p20lite
P20 lite is special it seems :D

https://forums.androidcentral.com/a...wei-p20-pro-no-lock-screen-notifications.html
https://forum.xda-developers.com/huawei-p20-pro/help/lock-screen-notifications-content-t3776064

I wouldn't be surprised if this is something that manufacturers are moving away from, but certainly with Android, every handset manufacturer presents an adventure in figuring out how their cludge works.
 
Top