The popular mobile messaging app WhatsApp is vulnerable to hijacking exposing hundreds of Millions of users vulnerable to attack. It could be quite easy to take over a WhatsApp account when the attacker has the phone number of the victim., even if it is locked
The attack also works in case the mobile device is locked, it doesn’t exploit any vulnerability in the popular messaging app, instead it relies on the way the account setup mechanism works are implemented by WhatsApp.
As reported by the colleagues by TheHackerNews I’m not encouraging users to hack others WhatsApp account, but the purpose of publishing this post is to warn its users about possible risks. It is a good practice not to leave it unattended the mobile device for longer durations.
The trick could be exploited by the attacker to get full control over the victim’s account and works for every mobile platform.
By choosing the right time, for example, when the victim goes away to do something (2 minutes it’s enough), the attacker just needs to perform the following actions:
Now you know the pin code, you can finish up the account creation and you will have access to your friend’s WhatsApp’s. Now assume that your victim has all his private conversations backup and you can restore all his/her chat history. Great, right?
Using this known and simple trick your colleagues can hijack your WhatsApp Account easily.
If the target uses an iPhone the hack is quite simple, especially when the owner has configured the iPhone with Siri authentication for the lock screen. In this case all the contact details are available to access the Siri’s settings, this means that an attacker can access them without the need for a PIN. In this case, the attacker can easily discover the victim’s phone number.
“Thus, if you try to steal the account information of WhatsApp, without even having the phone number of the target user, you can just call your number from target’s phone using Siri.target’s phone using Siri.” states THN.
Below the video PoC for the WhatsApp hack.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.