Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking

Israeli government authorities warn users about new method of hijacking WhatsApp accounts.
Written by Catalin Cimpanu, Contributor

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government's cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned.

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers' voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don't change that account's default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user's phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a "voice verification," during which the WhatsApp service would call the user's phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can't or won't answer his phone, that message would eventually land in the victim's voicemail account.

Since most mobile telco providers allow remote access to any customer's voicemail account, all the hacker has to do is to enter the victim's correct PIN, recover the spoken one-time code, and enter it inside his version of the WhatsApp app. This links the real user's phone number with the hacker's device, and effectively hijacks the account from the legitimate owner.

Once the hacker has gained access to the WhatsApp account, he/she can enable two-step verification, which would prevent the legitimate owner from re-taking control over his WhatsApp account without a six-digit number only the attacker knows.

The technique doesn't require any technical skills and equipment to perform, and according to Israeli authorities, has been massively used in recent weeks, leading to numerous reports of hijacked accounts.

In their alert, Israeli authorities recommend that users either use a strong password for their mobile voicemail account or enable two-step verification for the WhatsApp account and prevent the attacker from hijacking the phone number, to begin with. Albeit the alert was sent by Israeli authorities, users in other parts of the globe may also be vulnerable.

"It is a VERY known issue and I don't think it is related to Facebook but to the weak security of the phone company's answering machine," Bar-Zik told ZDNet.

A better way to mitigate such attacks would be if telcos didn't use the same password for all customers, but use personal identifiers as default passwords, such as birthdays or last digits of ID cards. This is not perfect, but it's better than using 0000 or 1234.

Over the summer, security researcher Martin Vigo has expanded on this technique, showing how attackers could use voicemail accounts to hijack more than WhatsApp accounts, such as Facebook, Google, Twitter, WordPress, eBay, or PayPal profiles. He even created a special tool to automate these attacks called Ransombile.


Editorial standards