Hacking Whatsapp, Attackers attack users who have not changed their default voicemail passwords.
In connection with numerous reports of hacking into accounts of WhatsApp users, this week the government of Israel issued a corresponding notice. A document published by the Israeli National Cyber Defense Bureau reveals a relatively new method for hacking WhatsApp accounts using voice mail.
The method in question was first described by Oath’s web-developer Ran Bar-Zick. It is aimed at users who have not changed the default passwords for their voice mail (in most cases, this is 0000 or 1234).
The possibility of “stealing” someone else’s account appears when an attacker attempts to add a user’s phone number to a new WhatsApp installation on his phone.
As a rule, in this case, the user receives an SMS with a one-time confirmation code, and the attempt at hacking is immediately disclosed. However, an attacker can easily bypass this security measure, it is enough just to carry out an attack, for example, at night, when the victim is sleeping, or when he is far from the phone.
After several unsuccessful attempts to validate the one-time code, WhatsApp will offer to undergo a voice check. The phone will ring and the code will be dictated out loud. If the attack is carried out at a time when the victim cannot answer the phone, the message will most likely come to voice mail.
Since most telecom operators implement the ability to remotely access voice mail, an attacker can simply enter the default password, listen to the message and enter the one-time verification code into the new WhatsApp account on his device.
Thus, the user’s phone number will be tied to the account of the attacker. Having seized someone else’s account, an attacker can configure two-factor authentication, and the victim will not be able to return it back.
According to a notification from the Israeli authorities, over the past few weeks, incidents of such attacks have increased markedly.
The National Cyber Protection Authority recommends that users set strong passwords to voice mail and activate two-factor authentication in their WhatsApp accounts. Although the notification was issued by the Israeli authorities, the above recommendations are useful to users in other countries.