A researcher has just found an amazing security flaw in WhatsApp. His trick allows you to bypass authentication when the victim’s smartphone is in airplane mode or turned off. And so to hack his account!
Application developers and hackers are constantly racing to find possible flaws in APIs: some to fix them, others to exploit them. And, sometimes, the simplest maneuvers are the best. Zuk Avraham, a cybersecurity researcher and specialist in mobile systems, revealed on Twitter that he discovered an easy to implement, yet formidable technique to take control of the application when the victim’s smartphone is off or on. airplane mode – when she goes to bed for example. The key to success” ? His answering machine.
WhatsApp hack: an attack via voicemail
Typically, when a person is sleeping, they turn off their smartphone or put it on airplane mode so phone calls don’t wake them up. As a result, they are automatically redirected to voicemail. And it is at this moment, when the victim drops his barriers and surrenders to the arms of Morpheus, that the pirate can strike. According to the method discovered by Zuk Avraham, he will dial the person’s number in order to connect to the latter’s WhatsApp account. The platform will therefore send a verification SMS but, as the smartphone is offline, the message will remain pending. The hacker will therefore perform a new test, but this time requesting verification by call. As the phone is still unavailable, the WhatsApp service will leave a voice message on the user’s mailbox containing the identification number. And here is the drama.
The recent WhatsApp accounts takeover is simple and genius.
This is how it works:
A “hacker” tries to login to your account via WhatsApp.
You get a text message with a pincode that says “Do not share this”.
You don’t share it, yet you still get hacked.
—Zuk (@ihackbanme) January 19, 2023
Most operators offer a service to consult these voice messages remotely. To access it, you must enter a four-digit secret code. However, in some countries, this code is composed by default of the last four digits of the telephone number. The hacker only has to take a chance and retrieve the WhatsApp ID number to gain access to the account. The scenario is all the more worrying since the platform was the subject of a massive leak in November 2022, with the theft of the telephone data of nearly 500 million people, including more than 20 million French people, who have since been offered for sale on the Dark Web. That’s why it’s important to change your default voicemail code and enable two-factor authentication (2FA), especially since when a WhatsApp account is hacked, the recovery process can take days, giving the hacker plenty of time to defraud contacts and/or distribute malware. It only remains to hope that Meta quickly correct this flaw.