A digital risk protection company has discovered a new Whatsapp vulnerability that malicious actors can exploit to subsume control of an unsuspecting user’s Whatsapp account.
The process does require the use of social engineering – including ringing the victim – and trades on the fact the average Whatsapp user is not familiar with MMI codes.
The new attack is another example of why WhatsApp users need to take security seriously, hot on the heels of a previous threat from Russian hackers.
How Dangerous is This?
This hack, first discovered by CloudSEK CEO Rahul Sasi, is facilitated by two technical facts.
Firstly, the service provided by many mobile phone carriers that let you forward phone calls to a different number is automated. Secondly, Whatsapp allows users to send a one-time voicemail verification code.
According to Sasi, “Within a few minutes” of the process commencing, “your WhatsApp would be logged out, and the attackers would get complete control of your account”.
The malicious actor will need the target’s phone number and some significant social engineering skills for it to work.
How the Hack Works
The threat actor must first convince a victim to call a number that starts with a Man-Machine-Interface (MMI) code. These are codes that often start with ‘#’ or ‘*’.
When the victim rings the number, the MMI code will dictate that the mobile carrier forwards all calls to the hacker’s number if the target’s phone line. However, the hacker must make sure they use an MMI code that auto-forwards every call, not just when the line is busy.
There are several different types of MMI codes, but they’re often used by phone carriers to facilitate customers checking their balance, resetting the device, or forwarding calls.
Now that the victim has been tricked into redirecting calls to the hacker’s number, the hacker starts the registration process – which includes a “one-time password via voice call” option.
With that code, they can then set up the target’s WhatsApp account on their device. The victim is likely to get a WhatsApp notification informing them that they’ve been logged in on another device, but this could easily be overlooked if the hacker rings the victim and engages in conversation with them.
Read our guide to the latest WhatsApp scams, and how to identify them.
How Can I Avoid the WhatsApp Hack?
There's one easy way to ensure this never happens to you – turning on two-factor authentication (2FA) in WhatsApp. The hacker, in this case, would not only need your phone number, but also a security pin – rendering the current iteration of the hack obsolete.
It's always important to utilize tech that can genuinely decrease your chances of getting hacked, like password managers and VPNs. But education is equally as important. There are thousands – if not millions – of people – who have accounts with services that provide 2FA yet don't activate it.
2FA is a simple, easy-to-implement second layer of account security, one that could very well save your skin if a hacker targets you with a scam like this. All in all, it's better to be safe rather than sorry, so activate 2FA on WhatApp as soon as you can.
2FA is better than no 2FA, of course – but this scam above is a testament to the fact that mobile phone carriers are easy to exploit. If you can, download an authenticator app instead, and use that to receive your codes.