The popular mobile messaging app WhatsApp is vulnerable to hijacking exposing hundreds of Millions of users vulnerable to attack. It could be quite easy to take over a WhatsApp account when the attacker has the phone number of the victim., even if it is locked
The attack also works in case the mobile device is locked, it doesn’t exploit any vulnerability in the popular messaging app, instead it relies on the way the account setup mechanism works are implemented by WhatsApp.
As reported by the colleagues by TheHackerNews I’m not encouraging users to hack others WhatsApp account, but the purpose of publishing this post is to warn its users about possible risks. It is a good practice not to leave it unattended the mobile device for longer durations.
The trick could be exploited by the attacker to get full control over the victim’s account and works for every mobile platform.
By choosing the right time, for example, when the victim goes away to do something (2 minutes it’s enough), the attacker just needs to perform the following actions:
Now you know the pin code, you can finish up the account creation and you will have access to your friend’s WhatsApp’s. Now assume that your victim has all his private conversations backup and you can restore all his/her chat history. Great, right?
Using this known and simple trick your colleagues can hijack your WhatsApp Account easily.
If the target uses an iPhone the hack is quite simple, especially when the owner has configured the iPhone with Siri authentication for the lock screen. In this case all the contact details are available to access the Siri’s settings, this means that an attacker can access them without the need for a PIN. In this case, the attacker can easily discover the victim’s phone number.
“Thus, if you try to steal the account information of WhatsApp, without even having the phone number of the target user, you can just call your number from target’s phone using Siri.target’s phone using Siri.” states THN.
Below the video PoC for the WhatsApp hack.