The researchers described an attack that allows attackers to take over someone else’s WhatsApp account, gaining access to private messages and contact lists. It’s all about the functionality of WhatsApp, which allows you to transfer one-time passwords through voice calls.
CloudSEK specialists told about this hacking method. For such an attack, the hacker will need only a few minutes, although, in order to take over someone else’s account, you need to know the victim’s phone number and be ready to use social engineering.
First, the attacker will need to convince the victim to call the number that starts with the MMI code that the carrier uses to activate call forwarding. Depending on the operator, the MMI code may include forwarding all calls to another number or only when the line is busy or the subscriber is not available. Typically, these codes begin with an asterisk (*) or hash (#) and are supported by all major carriers.
Once the attacker has convinced the victim to forward calls to his number, he initiates the WhatsApp registration process on his device, choosing to receive a one-time code via voice call.
Once the code is obtained, the hacker can register the victim’s WhatsApp account on their device and enable two-factor authentication, which will prevent the real owner of the account from regaining access.
It should be noted that during the attack, the target device will receive text messages informing that WhatsApp is being registered on another device. But the user may overlook these warnings, especially if the attacker resorts to social engineering and engages the victim in a telephone conversation while receiving a one-time password from the messenger.
Experts note that protecting against this type of attack is very simple: just enable two-factor authentication in WhatsApp.