WhatsApp flaw leaves users open to 'shoulder surfing' attacks

Hackers can gain full access to individual’s WhatsApp accounts using just their phone number

WhatsApp chat on a smartphone screen

WhatsApp users are susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Messages sent through WhatsApp are protected through end-to-end encryption, meaning its incredibly challenging for hackers to intercept and spy on communications data.

However, a security expert has demonstrated how criminals may be able to compromise users by downloading their accounts to third-party devices.

Users logging into WhatsApp on a new device must first acquire a unique code that’s sent to them via text message. This code, once entered into the app, will validate the phone and restore account settings and history from a backup.

Should hackers manage to obtain a victim’s phone number, they can download WhatsApp on a clean device and enter this to request an account restoration code be sent via text message. Should they be within spying distance of the victim’s smartphone, they can obtain that code as and when it’s sent, according to ESET security specialist Jake Moore

From there, by simply entering the unique code into their clean device, they can fully compromise the victim’s WhatsApp account.

Moore said he devised the theory and decided to test it on a colleague, who often finds themselves at the end of his social engineering experiments. 

“Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever,” Moore said. “A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.”

“It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account. 

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone. Et voilà - I had control of her account.”

While employees and IT teams may take all the precautions in the world to guard against network-based cyber attacks, they may find themselves vulnerable to in-person shoulder surfing attacks.

It’s a huge risk when in the office or even out and about. Moore, for instance, highlighted how likely we are to leave our phones by our desks while in the office, or on the table in a restaurant when dining with others.

Moore has recommended WhatsApp users guard against the attack by turning off previews for SMS messages, and, more importantly, never leave their devices unattended.

Moreover, WhatsApp created its own two-factor authentication process, which can be turned on by heading into the settings menu. Once enabled, the app will ask users for a custom PIN number at random times when they open the app. 

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
FBI shuts down web shells in hacked Exchange servers
cyber security

FBI shuts down web shells in hacked Exchange servers

14 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021