Experts have uncovered a method for threat actors to hijack almost any WhatsApp(opens in new tab) account, getting access to all the messages and the contact lists found in the app.
Rahul Sasi, founder and CEO of digital risk protection company CloudSEK, discovered that by using automated call forwarding that some mobile services offer, together with the option to send a one-time password (OTP) verification code via voice call, an attacker can take over almost any WhatsApp account.
To successfully pull the attack off, the threat actor first needs to persuade the victim into calling a number that starts with a Man-Machine Interface (MMI) code. The number is usually set up by the mobile carrier, and is used to enable call forwarding.
Not as easy as it sounds
The number usually starts with either a star or hash symbol. As per the publication, these codes are easily found, and most of the major mobile network operators support them.
Calling this number forwards all future calls to the attacker-owned endpoint. After that, the process is relatively easy, as the attacker can initiate the WhatsApp registration process on their device, and receive the OTP via voice call.
Putting the idea to the test, BleepingComputer has found that it generally works, although with a few caveats. First, the attacker needs to trick the victim into using an MMI code that forwards all calls, not just those that are made while the line is busy.
Then, they need to make sure the victim is busy for long enough to miss the text message informing them that their WhatsApp app is being registered on another device.
Also, if the victim already has call forwarding enabled, the attackers must use a different phone number, which is “a small inconvenience that might require more social engineering”.
The method works on Verizon and Vodafone, the publication confirmed.