WhatsApp’s end-to-end encryption feature ensures that our conversations remain private, but the platform itself is vulnerable to a simple attack which can hijack a user’s WhatsApp account. The method, which was discovered last year, can be used to take over the WhatsApp account of a target by stealing the verification code sent to their voicemail inbox without much technical knowledge.
The vulnerability, which can be used to take over someone’s WhatsApp account, was spotted last year by a security expert named Ran Bar-Zik. However, the vulnerability can only be exploited if the target uses voicemail and doesn’t have a complex PIN or uses a default PIN such as 1234 or 1111.
Hacking Voice Mail
An attacker installs WhatsApp on his device and enters the mobile number of the target during the registration process, after which a security code will be sent to the target’s mobile number. Trying to install WhatsApp on two devices will send a security alert to the target, which is why the hacker tries to execute the hack when the target is likely not active, say after midnight.
After sending a verification multiple times, the attacker can send a prompt that he/she didn’t get the verification code via an SMS, so WhatsApp will send the same via a voice call. And if the target is unable to attend the voice call, the voice message will be sent to their voicemail (Yes, WhatsApp can leave the verification code in your voicemail inbox). Since we rarely use voicemail nowadays, and very few bother to change the default passcode that’s assigned by the mobile service provider. As a result, if the hacker tries “0000” or “1234”, they are extremely likely to confirm the state of the victim’s voicemail service. If it’s active, hijacking is possible. The hacker now has access to the victim’s WhatsApp account and can also lock him out permanently by activating the two-factor factor authentication feature.
The only way to prevent an attacker from executing the aforesaid attack is to activate WhatsApp’s two-factor authentication feature and use a stronger password for one’s voicemail.
Is it likely to be hacked?
The chances of this happening type of hack to happen are quite low since you need to be using your phone, thus asleep during the midnight and your voicemail password is not changed. But Israel hackers are succeeding in this type of “WhatsApp hack”.