WhatsApp’s end-to-end encryption feature ensures that our conversations remain private, but the platform itself is vulnerable to a simple attack which can hijack a user’s WhatsApp account.
The method, which was discovered last year, can be used to take over the WhatsApp account of a target by stealing the verification code sent to their voicemail inbox without much technical knowledge.
How is the WhatsApp Account Hijacked?
The vulnerability, which can be used to take over someone’s WhatsApp account, was spotted last year by a security expert named Ran Bar-Zik. However, the vulnerability can only be exploited if the target uses voicemail and doesn’t have a complex PIN or uses a default PIN such as 1234 or 1111.
Hacking Voice Mail
An attacker installs WhatsApp on his device and enters the mobile number of the target during the registration process, after which a security code will be sent to the target’s mobile number. Trying to install WhatsApp on two devices will send a security alert to the target, which is why the hacker tries to execute the hack when the target is likely not active, say after midnight.
After sending a verification multiple times, the attacker can send a prompt that he/she didn’t get the verification code via an SMS, so WhatsApp will send the same via a voice call. And if the target is unable to attend the voice call, the voice message will be sent to their voicemail.
The attacker can remotely access the victim’s voicemail if they are using a weak PIN, retrieve the voice message with the verification code and successfully install WhatsApp with a victim’s number on another device.
The hacker now has access to the victim’s WhatsApp account and can also lock him out permanently by activating the two-factor factor authentication feature. The only way to prevent an attacker from executing the aforesaid attack is to activate WhatsApp’s two-factor authentication feature and use a stronger password for one’s voicemail.