WhatsApp accounts can be completely stolen as long as the number is known and the phone screen is looked at
There is no need to unlock it, no WhatsApp password or email address
This attack can easily work on coworkers, roommates, spouses, classmates, etc It could even work on someone you have lunch or coffee with, or your boss
All the target needs to do is step away from the phone for a few seconds, such as when you go to the bathroom
Jake Moore, a security researcher at ESET, explained this process in a blog post today (April 20) However, we tried it ourselves and, to our horror, it worked perfectly
At this point, we would normally tell you to protect yourself with the best password manager or the best anti-virus software But this ridiculous security hole has nothing to do with passwords or malware
Fortunately, there is an easy way to avoid this kind of attack: enable the PIN on your WhatsApp account, which you will need to enter when you migrate your account to a new phone enable the PIN on your WhatsApp account, which you will need to enter when you migrate your account to a new phone You will need to enter it when you migrate your account to the new phone You can also disable text message previews
Moore's method is ridiculously easy Here are the steps needed to steal your WhatsApp account
1 install WhatsApp on a device that does not have WhatsApp installed
2 wait for the target to leave your phone
3 When WhatsApp asks for a phone number, enter the target's phone number instead
4 WhatsApp will send a 6-digit confirmation code to the target's phone
5 If the target's phone has text message preview enabled (which nearly all phones, iOS and Android, do), the confirmation code will appear on the target's phone screen as a preview
6 enter the confirmation code into WhatsApp on the phone
The process takes 10 seconds on two phones The confirmation code is displayed on the lock screen, so I did not need to unlock the first model to verify it The trickiest part was remembering it
Since WhatsApp accounts can only be used on one device, the account was migrated from one to the other If they had done this to someone else, that person would not be able to access their account
After the transfer, WhatsApp prompted me to migrate all data backed up to Google Drive (or iCloud) to the new model I did not do that because I wanted to transfer my account back to the first model
However, Moore did it and was able to see all the archived chats on his colleague's account that he stole using this message (He got her consent and restored her account on her phone once the experiment was over)
Needless to say, you do not want others to steal your WhatsApp account The best way to avoid this is to add a PIN to your account
WhatsApp calls this two-step verification, but it should not be confused with two-factor authentication (2FA); WhatsApp's 2FA is a rather lax implementation, which is what got us into this trouble in the first place
In any case, go to WhatsApp settings, tap "Account," then tap "Two-step verification"; you will be prompted to enter your 6-digit PIN, which you will need to enter again the next time you change your phone
It is also recommended that you enter your email address as a failsafe in case you forget your PIN
Moore suggests turning off the lockscreen SMS message preview However, it would reduce many conveniences of using your phone
However, I agree that cell phones should not be left unattended while out and about, or even in the house if you don't trust your roommate
Comments