The Israel National Cyber Security Authority has sent out a nationwide security alert, warning users about a new method of hijacking WhatsApp accounts.
The Israeli Prime Minister’s Office said in a statement that they have received several reports of private WhatsApp accounts being hacked.
The method, which has been used to hijack many WhatsApp accounts already, uses the mobile providers’ voicemail systems.
ZDNet reported that users who have voicemail accounts with default passwords – typically 0000 or 1234 – are at risk.
The WhatsApp account takeover attack happens as follows:
- The attacker tries to add a legitimate user’s phone number to a new WhatsApp installation on his own phone.
- WhatsApp’s security procedure will send a one-time code via SMS to the victim’s phone. This will alert the legitimate user of the attack, but if it happens when they are asleep, they will not know.
- Several failed SMS validation attempts result in WhatsApp prompting the user to do a “voice verification”. WhatsApp will call the victim’s phone and speak the one-time verification code.
- This code, which was phoned through by WhatsApp to the victim’s phone, will land up in voicemail if the victim does not answer.
- The attacker can now access the victim’s voicemail account, and get access to the one-time code to hijack the victim’s WhatsApp account.
“Once the hacker has gained access to the WhatsApp account, he can enable two-step verification, which would prevent the legitimate owner from re-taking control over his WhatsApp account without a six-digit number only the attacker knows,” ZDNet explained.
To prevent falling victim to this WhatsApp account hacking method, users are encouraged to change their voicemail passwords and enable WhatsApp’s two-step verification.
WhatsApp account hijacking demo
Security researcher Martin Vigo demonstrated how a WhatsApp account can be hijacked via voicemail at DEF CON 26.