It’s the dangerous WhatsApp hack that won’t go away—and that’s because it works, it’s effective, it enables a hacker to hijack your account and use it to commit fraud on your friends and contacts. It’s stupidly simple, relying on you doing something you absolutely should not. And, worse, there is one setting you and all users can change to fully protect yourselves against being attacked.
I first covered this hack back in January, although there were reports going back to last year. It relies on social engineering and user security complacency. It is the hack I get the most emails about, still to this day, as users around the world struggle to restore their accounts after falling victim. And now the hack has returned with a menacing new twist to trick more victims. Make sure you don’t join them—here’s how it works and what you must do.
Despite sending its messages over any internet bearer, WhatsApp is still linked to your phone number. This is central to the way it works—your phone number is your unique identifier and the app can only be on one device at a time, even though its web access platform provides a window onto that device.
Because this is how WhatsApp works, when a user changes their phone or reinstalls the app, WhatsApp needs to verify that the new device is linked to the user’s phone number. This is done through a verification SMS with a six-digit code. Once the user taps in the right code, the new installation of WhatsApp is enabled and all messages sent to that user will come to that device.
Importantly, this does not restore any messaging backup—those are managed by the device’s backup process, different for iOS and Android. But even restoring a backup will not register a new device to your WhatsApp account until you have requested, received and entered that SMS verification code.
What was actually intended as a security strength is actually a surprise weakness. WhatsApp doesn’t check the phone number on the device itself, relying on that SMS. And so, if an attacker knows your number and can get your verification code, they can hijack your account and install your WhatsApp on their device, even though their device has a different phone number to your own.
Until now, the hack relied on tricking users into giving up their SMS verification codes to a supposed friend or contact. This was a trick. What is happening behind the scenes is that an attacker has already hijacked a friend’s WhatsApp or Facebook account. They then send you a message along the lines of “my SMS isn’t working, WhatsApp need to send a code and can’t, so I’ve asked them to send it to you instead. Please forward it on.”
Obviously, the code you then receive relates to your own account not your “friends,” and by forwarding that code, you are essentially providing an attacker everything they need to hijack your account.
Now there is a new twist. As first reported by WABetaInfo following a question from a Twitter follower, it seems that attackers have taken to spoofing messages from WhatsApp itself, asking users for those codes. Clearly an attempted account hijack. The methodology has changed but the attack vector is exactly the same. It doesn’t matter how this is done, the risk is the same and the fix is the same—as detailed below.
Last month, ESET’s Jake Moore showed how easily he could hijack a colleague’s account, viewing the SMS preview of a verification code sent to their unattended phone. “She could not believe how easy it was to take over an account and felt there should be more security in place for unsuspecting users,” Moore explains. “She rightly mentioned that many people leave their phones unattended but think nothing of it, even in public places such as restaurants and bars.”
There is a fix and it’s this. It will take you 30-seconds and you will never have your WhatsApp account hijacked in this way. You must do this now.
Confusingly, there is a different six-digit code buried in WhatsApp that you can set-up now with a number of your choice, one that won’t be known to WhatsApp or anyone else. With this “Two-Step Verification” in place, even with your SMS verification code an attacker CANNOT hijack your account. Even better, your WhatsApp app will occasionally ask you to enter the code just to double-check it’s you tapping away on the keyboard.
“When you have two-step verification enabled,” WhatsApp says, “any attempt to verify your phone number must be accompanied by the six-digit PIN that you created using this feature.” Simply put—the hack will NOT work. You should also enter a backup email address as prompted, this will ensure you cannot be locked out of your phone if you forget your own new PIN.
“It goes without saying that you should set two factor authentication up on every account that offers it,” Moore tells me, “but many users don’t see WhatsApp like other apps and hence they may forget to activate it.”
This is the crux. Almost all of those reading this article will still have neglected to set up that code. It’s critical. The other reason you need to update this setting, is that you will be allowing an attacker to set-up two-step verification on your account if you don’t. And that will mean a delay before you recover your account.
If that does happen, though, WhatsApp accounts can be recovered without the attacker’s two-step verification code, as long as you have a new SMS code. You will lose pending messages, though. Also, if you wait too long before restoring in those circumstances, your account will be deleted and reset. WhatsApp provides full details of the way verification works in the case of a lost account here.
“Once users have their WhatsApp account set up they may fail to see that it still poses a risk which could potentially lose access to their account even with a simple shoulder surf,” Moore says. “Albeit the 2 meter social distance rule may make this attack more difficult, it does, however, highlight a good reminder to never leave your phone unattended and never let anyone know the SMS.”
WhatsApp is at the forefront of secure, encrypted messaging. And as I’ve reported this month, the platform’s security is continually improving. The latest planned move is to extend end-to-end encryption to cloud backups. But, as ever with data security, it’s the simple things that let the system down.
For anyone who has fallen victim to this hack, WhatsApp has provided a guide to stolen accounts that explains the various recovery options and timelines. “It gives all the advice users should need in the event that their accounts are hijacked,” WhatsApp told me, “and how to prevent it from happening.”
Okay, so now you’ve read the article, please go and set up WhatsApp’s two-step verification right away. Don’t take the risk that you forget.