WhatsApp’s end-to-end encryption feature ensures that our conversations remain private, but the platform itself is vulnerable to a simple attack which can hijack a user’s WhatsApp account. The vulnerability, which can be used to take over someone’s WhatsApp account, was spotted last year by a security expert named Ran Bar-Zik. However, the vulnerability can only be exploited if the target uses voicemail and doesn’t have a complex

Hacking Voicemail

An attacker installs WhatsApp on his device and enters the mobile number of the target during the registration process, after which a security code will be sent to the target’s mobile number. Trying to install WhatsApp on two devices will send a security alert to the target, which is why the hacker attempts to execute the hack when the target is likely not active, say after midnight when the user is not active

After sending a verification multiple times, the attacker can send a prompt that he/she didn’t get the verification code via an SMS, so WhatsApp will send the same via a voice call. And if the target is unable to attend the voice call, the voice message will be sent to their voicemail. The attacker can remotely access the victim’s voicemail if they are using a weak PIN, retrieve the voice message with the verification code and successfully install WhatsApp with a victim’s number on another device. The hacker now has access to the victim’s WhatsApp account and can also lock him out permanently by activating the two-factor factor authentication feature. The only way to prevent an attacker from executing the attack above is to activate WhatsApp’s two-factor authentication feature and use a stronger password for one’s voicemail. To avoid such attack we should not keep default password for voicemail like 1234 or 1111

LEAVE A REPLY

Please enter your comment!
Please enter your name here